UDP flood from my machine, or false positive?
You got the report from your hosting provider. They would be able to tell whether the traffic originated from your server or if it was spoofed. So if your hosting provider is competent, then the report is most likely correct.
If I was in your shoes, there are two things I would do. I would ask the hosting provider if they can send a packet capture of some samples of the flood traffic. After inspecting the packet trace one will be in a much better position to judge the correctness of the report. Additionally I would log in on the server and run ifconfig
to see how much traffic has been send by the machine since it was last rebooted. (Notice that if it is a 32 bit system, the counter wraps around at 4GB and thus is not guaranteed to be accurate.)
If your host did send a flood of UDP packets, there are different ways it could have happened. But the most likely explanation is some sort of compromise. Compromising the root account is not required to start a flood of UDP packets, compromising any single account would do. You can look if a socket is still bound to the source port of the flood traffic. If you are lucky you might find the program originating the traffic that way. I have on a few occasions seen a legitimate program accidentally produce a flood of packets without any compromise having happened. If you have any internally developed software communicating over UDP, this may be what happened to you.
Should it turn out that the provider doesn't have a packet trace to show you, and the byte count on the network interface doesn't indicate a lot of data has been send, and you can find no evidence of a compromise of the system, then it may be that the provider has simply forwarded a false report they received without performing their own investigation.