What's the probable cause for extremely low inbound traffic and high outbound traffic?

One likely possibility is an amplification attack. If you are running an open recursive DNS resolver (there are other protocols you can do this with though), for example, you can receive a very small UDP packet that has a spoofed IP address. Your server then generates a large response and sends it to the victim, thinking that it's a legitimate request.

Another possibility is that someone was exfiltrating data off your network. If someone got into your server and was offloading every byte they could find, it would look like that as well.

There's no way to know which one it was without doing an investigation, and hoping that whatever did happen left evidence. If it's the latter (exfiltration) then they probably cleared their tracks as best they could.


I agree with the possibility of an amplification attack. The simplest way to handle this is to use DigitalOcean's free cloud firewall.

Only allow SSH, HTTP,and HTTPS inbound. If possible, only allow SSH from your trusted IPs.

You can do this using the firewall on your VM, DO's solution is just easier.


You should ask Digital Ocean. They don't shut off servers just for high outbound traffic: that would shut down most servers. For example, a webserver hosting something popular.

Rather, they shut down your server because the nature of your traffic looked malicious. As such, they probably have some idea what it was.

Otherwise you'll have to investigate yourself. Perhaps if the host is still running it's still attempting to send traffic which is being dropped by Digital Ocean. In that case you'd be able to observe it with a packet dump. Or you may be able to find clues in the system logs. It could be any of a million things unfortunately, so speculating on the underlying cause absent such an investigation is futile.