I have an up-to-date debian/nginx web server running at home, behind a router with TCP ports 80/443 forwarded. Over the past few weeks, I've observed (via activity lights on router) lots of unexpected network activity to the server. None of this shows up in logs. Curious, I used wireshark to spy on the traffic and discovered the following pattern:

Random IP (usually from VPN provider) sends a few TCP SYN packets each second, my server responds with many SYN ACK's, no ACK is ever received from sender, and eventually after a few seconds, server sends TCP Retransmission packets to sender.

I did some research and discovered TCP SYN Flood attacks. While my situation partly resembles such an attack, other wireshark screenshots I've found online typically have a LOT more incoming SYN packets (onwards of 10, 100 or even 1000 per second). In my case, it's a lot slower and more "chatty" with the SYN ACK's and retransmissions.

So I'm left wondering.. what the hell? Am I correct in understanding that this is likely just random bots/scripts scanning my server, and nothing to be alarmed by? Why would they be running these half-assed DoS attacks against me, as they're clearly ineffective at denying service?