High Bandwidth Usage - DDoS Attack?

I´m having a really strange problem. Usually, my server bandwidth averages at 300Kb/s. However, after 22:00 PM of yesterday it is at 2000Kb/s. The first thing I thought is that it could be a DDoS attack, verified the number of connections on port 80, and nothing it looked like the usual. After that, I blocked all the ports but the 22 (for SSH access) and still the same. I dd even stop all the network services, so that only ssh and network daemons werer running, but bwm-ng and cacti still reported those 2000Kb/s. Server Load is as usual, and even the speed (it is on a 100Mbit link), however this is really worrying me, because I can´t find the problem. I did even try a restart, but as soon as the server came up it reported thos 2000Kb/s. Also, there 2000Kb/s are in and out, aprox. 50% each. What can be causing this? I believe that, if it was a DDoS attack, it must have stopped when I closed all the ports and stopped all the services.

"netstat -nap | grep SYN | wc -l" result is currently "1".

"netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n" is returning:

Code: 
      1 200.153.48.2
      1 200.164.21.91
      1 200.186.94.218
      1 201.57.66.2
      1 201.6.247.209
      1 213.13.244.194
      1 66.154.103.115
      1 66.249.65.202
      1 66.35.211.137
      1 66.98.254.236
      1 72.30.103.33
      1 72.30.128.224
      1 82.155.217.18
      1 85.240.235.221
      1 85.241.1.250
      2 
      2 201.44.130.44
      2 207.46.98.69
      2 217.70.69.45
      2 82.102.29.41
     39 0.0.0.0
Thank You

 

 

 

 

Top