New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Continuous high bandwidth, what causes it and how to stop this?
I have a AWS server that was running fine for years. The server is sponsored, so I don't have access to anyone else at AWS.
Since today, ksoftirqd/1 and ksoftirqd/0 are using high CPU, and it has 12 GB per hour bandwidth in and out, which lead me to install nethogs:
NetHogs version 0.8.5-2
PID USER PROGRAM DEV SENT RECEIVED
? root 172.31.serverIP:443-174.73.15.53:58592 1992.489 2359.154 KB/sec
I tried
iptables -I INPUT -s 186.182.3.58 -j DROP
With no result.
nethogs -t shows a different ip:
Refreshing:
172.31.serverIP:443-175.143.87.73:21933/0/0 2479.22 2531.82
DROP didn't work on that one either.
I'm kinda lost here 
Comments
If it's port 443, do you have a web server running with HTTPS? What about checking the web server logs?
Apache2 logs look normal, and if I turn Apache off, the data continues.
I got a list of IPs connecting to many ports with:
netstat -tupn
If I DROP those most frequent IPs, NetHogs continues to RECEIVE data but SENT drops significantly. My own ssh connection to the server hangs often too, so I'm starting to think it's my very first DDOS.
I've now dropped about 200 IPs.
Delete the public IPv4:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses
Enable Cloudfront:
https://aws.amazon.com/cloudfront/getting-started/EC2/
No more DDoS.
I'm new to this: won't it mess up for instance my domain name, that point to the IP?
Change nameserver to Amazon Route 53.
Thank you @yoursunny , we've implemented your suggestions and the server is accessible again!