The SYN packets are only coming against TCP 4984-4987, in a seemingly random order (doesn't start and cycle one way). Perhaps this could mean there were more than one hosts sending the packets? (well, that's a shot in the dark assumption to make)

I could see someone DOS a host to grab a machine.. the larger your BOT network, the more powerful your DDoS atacks would be - or as Tedob1 said it would be a great use for a spammer.

I failed to mention, but there only traffic that actually broke through (and only twice in that two hours) were single ping ECHO requests from a particular host (Snort tagged them as being from the CyberKit suite). From a recon perspective, this could the actual attacker checking to see if the machine is still online, as a DOS attack with forged SYN packets would send my honeypot's responses into space... I'm going to check into this more this evening.

l00p