Why will I see established connection with my LAN IP and source port = 80 (or 443).

# PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS ORIG-BYTES
0 C tcp 218.253.193.69:80 61.238.149.108:63594 established 22h16m50s 0bps 0bps 1 0 40
1 C tcp 218.253.193.69:80 61.238.149.108:63655 established 22h44m9s 0bps 0bps 1 0 40
2 C tcp 218.253.193.69:993 61.238.149.108:54542 established 22h46m36s 0bps 0bps 2 0 380
3 C tcp 218.253.193.69:993 61.238.149.108:55673 established 22h38m38s 0bps 0bps 2 0 380

My understanding is port 80 (and 993 for IMAP) are service port so it should be in the DST-ADDRESS. I see thousands (over 20000) these connections. I believe this is some kind of attack. I use syn cookies, things is a bit better. How should I protect the router. Is have a filter rule to block source port = 80 a solution?

In a three stage TCP handshaking, what will be the source and destination address in the connection? Say if A send SYN to B to request a connection. When B response, what is the connection src and dst address, same A to B, or is B to A. I believe the SYN-ACK package's src is B and dst is A, but what about the connection and connection state in the router.