On one of our systems we see many requests that take 75 seconds. Under low traffic responses are ca 0.3 seconds.
What I am wondering is if someone is trying to keep connections open in order to drain the connection pool. But then closing it before a in timeout in order to avoid detection.
Our servers are behind load balancers.
Or does anyone know if 75 seconds is the default value for something?
You could start by looking at performance counters in Windows, using the Windows Performance Monitor.
It includes a counter TCPv4\Connections Established ("Connections Established is the number of TCP connections for which the current state is either ESTABLISHED or CLOSE-WAIT.") that might be helpful.
You could compare that with the other systems, and monitor that over time. There are other counters as well that might be of interest.
Finally, you could use Wireshark or Network Monitor (both free) to monitor incoming packets. Both apps support applying filters.
