What's the probable cause for extremely low inbound traffic and high outbound traffic?

security denial-of-service

Solution 1:

One likely possibility is an amplification attack. If you are running an open recursive DNS resolver (there are other protocols you can do this with though), for example, you can receive a very small UDP packet that has a spoofed IP address. Your server then generates a large response and sends it to the victim, thinking that it's a legitimate request.

Another possibility is that someone was exfiltrating data off your network. If someone got into your server and was offloading every byte they could find, it would look like that as well.

There's no way to know which one it was without doing an investigation, and hoping that whatever did happen left evidence. If it's the latter (exfiltration) then they probably cleared their tracks as best they could.

Solution 2:

I agree with the possibility of an amplification attack. The simplest way to handle this is to use DigitalOcean's free cloud firewall.

Only allow SSH, HTTP,and HTTPS inbound. If possible, only allow SSH from your trusted IPs.

You can do this using the firewall on your VM, DO's solution is just easier.

Related

Finding day of week in batch file? (Windows Server 2008)
Should a sys admin backup important data in anyway he can, even if he disagrees with the backup strategy? [closed]
What is a relational database? [closed]
Can I just remove a disk from a live RAID 1 array?
How do I keep Centos at version 6.3?
RDP Crashes After Entering Password
Linux: make shutdown not executable for safety
Combine multiple unix commands into one output
Installing software on Linux without root privileges
Centos 7 Can't yum install npm
Auto login a user at boot on Windows Server 2016?
Should a detached EBS volume keep charging monthly?