tcptrack shows SYN_SENT connections, does that mean the SYN package reached the server?
It means the SYN was sent by the client and either didn't reach the server, the server didn't reply to it, or the server opted to reply to it without keeping track of it. The server does not need to keep track of every SYN reply it sends (and can use SYN cookies) because they may be spoofed and doing so creates a risk of denial of service attacks.
When I'm getting 'unwanted' traffic, as in traffic that has been specifically blocked by IPTABLES rules (as in being DROPped), the tcptrack shows the incoming IP address along with the SYN_SENT status (along with time of connection and data rate of 0b/sec). That listing stays there for a few seconds until it clears.
So - it's possible that the connections you're seeing are blocked for some reason. The IP addresses that come up with SYN_SENT could be locked out due to IPTABLES DROPs. You could disable IPTABLES for a bit and see if it continues. If so, make sure that the addresses being blocked are supposed to be.