Debian

How to determine the source of an attack from the server?

Hetzner sent this today:

Dear Mr,
We have indications that there was an attack from your server.
Please take all necessary measures to avoid this in the future and to solve the issue.
We also request that you send a short response to us. This response should contain information about how this could have happened and what you intend to do about it.
In the event that the following steps are not completed successfully, your server can be blocked at any time after the 2018-04-07 17:28:12 +0200.
How to proceed:
- Solve the issue
- Test if the issue still exists by using the following link: ...
- After successfully testing that the issue is resolved, send us a statement by using the following link: ...
Important note:
When replying to us, please leave the abuse ID [AbuseID] unchanged in the subject line. Manual replies will only be handled in the event of a lock down. Should you have any questions relating to this, please contact our support staff at [email protected]
Please note that we do not provide telephone support in our department.
If you have any questions, please send them to us by responding to this email.
Kind regards
Network department
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 505-0
Fax: +49 9831
505-3 [email protected]
www.hetzner.com
Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner
On 07 Apr 13:27, [email protected] wrote:
> Direction OUT
> Internal ...
> Threshold Flows 200 flows/s
> Sum 65.272 flows/300s (217 flows/s), 154.730. 000 packets/300s (515.766 packets/s), 6,922 GByte/300s (189 MBit/s)
> External 183.131.222.44
_ )
> External 111.230.105.177, 16.062 flows/300s (53 flows/s), 36.220.000 packets/300s (120.733 packets/s), 1,619 GByte/300s (44 MBit/s)
> External 60.191.186.90, 1.816 flows/300s (6 flows/s), 3.688.000 packets/300s (12.293 packets/s), 0.165 GByte/300s (4 MBit/s)
> External 60.191.186.95, 1.773 flows/300s (5 flows/s), 3.616.000 packets/300s (12.053 packets/s), 0.162 GByte/300s (4 MBit/s)
> External 60.191.186.91, 1.761 flows/300s (5 flows/s), 3.582.000 packets/300s (11.940 packets/s), 0.160 GByte/300s (4 MBit/s)
> External 60.191.186.96, 1.748 flows/300s (5 flows/s), 3.562.000 packets/300s (11.873 packets/s), 0.159 GByte/300s (4 MBit/s)
> External 60.191.186.3, 1.683 flows/300s (5 flows/s), 3.430.000 packets/300s (11.433 packets/s), 0.153 GByte/300s (4 MBit/s)
> External 60.191.186.2, 1.618 flows/300s (5 flows/s), 3.298.000 packets/300s (10.993 packets/s), 0.147 GByte/300s (4 MBit/s)
> External 188.244.209.65, 1 flows/300s (0 flows/s), 2.000 packets/300s (6 packets/s), 0.003 GByte/300s (0 MBit/s)
> External 37.9.113.143, 1 flows/300s (0 flows/s), 2.000 packets/300s (6 packets/s), 0.003 GByte/300s (0 MBit/s)
>

Is it possible to somehow determine if the attack is still ongoing, what network monitoring tools are better to use on the command line? Debian OS. Thank you.