One person's legit is another's bogus. It's always been that way. Other than routing, the use of the internet is partly chaos and it's not changing any time soon. "Packets found on an internet", they exist, therefore they are, deal with it. So let's forget about this port number legitimacy thing.
Further, some of us are real world network operators. We routinely sniff and record traffic as part of our jobs. In fact, if we did not, we would be very ineffective in our positions. Sniff if you want, don't if you don't. So we can also throw this argument out the window as to each their own. What we really want to know as network operators is what exactly IS going on in this case. And a simple count of SYN's is not enough for some operators to make a decision regarding their rulesets. Because for all they know, that traffic may indeed be diplomatic communications with the Borg that are keeping our planet from being assimilated. And well, unless you're Borg, or wish to become one, that's pretty legitimate :) Sniff that thing out, bring the full stats, write a whitepaper. Operators will look at it and make their own choices. Storing/grokking a days worth of tcp/43 sessions to find what percent of them have whois strings should be easy. As should tallying up the top ten whois queries and a distribution curve. That could help determine if it's some clients gone haywire or normal. Though somewhat like a ping someone left running, over Tor you'd just have to wait it out. Classifying and counting the non whois sessions would be harder but definitely interesting. If I was running an exit I would have already done and posted this for you all, but I'm not at the moment, so I can't. I yield the podium to my esteemed and valued peers on this list :)
