Is it normal for inbound traffic to far exceed outbound traffic?
Solution 1:
Yes for some protocols. No for others. The answer is it depends on what kind of traffic is "normal" for your environment.
Think about web browsing (and let's just agree for a moment that it's representative of normal internet traffic for say an office):
I want to look at this question, so I connect to serverfault.com and go
GET questions/361329 HTTP/1.1
host: serverfault.com
Total size of my outbound traffic (request): Maybe 1K if we include all the protocol overhead and additional requests my browser will make for images and such.
The serverfault.com server chews on my request and returns several hundred KB of HTML, images, etc.
Outbound traffic: 1k. Inbound traffic: 19k (as of that colon).
If you're the server half of that equation it's normal for your outbound traffic to far exceed your inbound traffic. Take a look at this graph from an anonymous ISP's web hosting network:
Now if your traffic does not look the way you think you should a good traffic monitoring system (or a few minutes with tcpdump
/ethereal
/etc.) may give you an idea of what's going on, or at least who is talking to who on what ports.
Solution 2:
Random thoughts:
I have an nginx server that proxies to application servers behind it. If you have a similar setup is the response payload from the app servers that go through your webserver considered "inbound"?
Can you check your webserver log to see if there are any POST requests coming in.
Do any URLs on your site accept POST data? Webservers have a way to limit the body size; maybe that'll lead to some resolution. For example, this will limit POST body size to 1 meg in nginx:
client_max_body_size 1m;
Finally, if the server shouldn't be getting anything but web (and SSH) traffic, use iptables to block everything but 80 and 22.