0

Today we recorded extremely high incoming traffic (1 Gbps) on our Debian Webserver (green chart). On an average day it's at a maximum of about 20-30 Mbps. Firewall as well as fail2ban are configured correctly and should be working fine. blue chart means outgoing traffic, green chart means incoming traffic We checked our log files and compared them to those of past days and we could not find any abnormalities. The high incoming traffic leads to a CPU usage of 100 percent and our web application won't work anymore.

What could be the reasons for such a high incoming traffic? If it was a DDOS attack, why haven't been there any suspicious traffic / IPs in the log files?

arety_
  • 103
  • 2
  • 1
    If your server is compromised in some way most of that traffic won’t show up in your log files as it most likely won’t be generated by your known services. The same can happen for some misconfigurations as well (an open proxy can allow significant transfers for example with very few logged requests ) - maybe check the traffic counters in your firewall with `iptables -L -v -n` – Bob Jan 14 '21 at 19:10
  • 1
    Get a sample with tcpdump and look through it. – Michael Hampton Jan 15 '21 at 01:00

0 Answers0