The title of the question and your nickname together deliver :)
Related: iotop, nethogs, iptraf

> 1) read/write a large number of
iotop files

Let's just hope it's not a rootkit. Otherwise, it will be a little more difficult to find it.

detailed description of all tops.
habrahabr.ru/post/114082/
It may also come in handy:
iftop - real-time channel load monitoring
ethstats - shows the number of connections and channel load
cat /proc/net/ip_conntrack - shows active connections
a lot of interesting things can be found out with the stat command, although The above should be enough for you to diagnose the problem.

There is also iostat, sar, pidstat, etc from the sysstat package. Very helpful in situations like this.

The network does not give overload, if something is network and slows down, then because of the disks, for example, torrents quite seriously load the disk subsystem.
First, check the readings of sar -d 1 10. If the disks are loaded, dig further towards iotop, iostat, if not, see the memory using the free or top command.

Another option: the RAM ends and active swapping begins. You can see both by top (low free memory, lots of swap used) and by iotop (active kswap).

look at the memory with the same top - sometimes the kernel starts swapping and all the resources go to this business

By the way, as noted above about rootkits, I advise you to check the machine, but if the rootkit is already running, it may well hide, for such situations they usually raise a copy of the machine on a virtual machine, with traffic monitoring and a total check of the system - hashes and signatures of packages and checksums