linux

There is a large flood of traffic coming from my server, how can I find the problem?

Hello! There is the following situation.
I have a web application on Digital Ocean, it sends letters to email and makes push notifications to phones for some events. So far it's being tested. Today I see this letter from Digital Ocean:
Hi there,
We are sorry to report that we have detected what appears to be a large flood of traffic from one or more of your servers that is disrupting the normal traffic flow for other users.
To prevent this traffic from causing further disruption, we have disabled the networking interface on the server or servers involved. In order to correct the issue, here is the direct link to the console of the affected droplet https://cloud.digitalocean.com/droplets/7365678/console
Please take action at your earliest convenience in order to investigate and resolve the situation. Once this is done, if you determine the program was malicious, please also determine how this software came to be installed on your droplet and prevent it from being installed again in the future. As soon as this is done let us know and we will investigate re-enabling your networking.
If you need any guidance on how to find and resolve this issue, we recommend reviewing this:
https://www.digitalocean.com/community/tutorials/h...
Please understand that this is a very serious issue as it negatively impacts our platform and your server. If you have any questions just let us know.
Thank you,
DigitalOcean Support
I'm afraid that the problem is that it was my pushes in the queues that could clog traffic.
Support sent tcpdump, here is a piece of it:
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Interface id: 0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 16, 2015 06 :07:08.481477000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1447654028.481477000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 66 bytes (528 bits)
Capture Length: 66 bytes (528 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp]
Ethernet II, Src: 84:b5:9c:fa:10:30 (84:b5:9c:fa:10:30), Dst: 04:01:70:64:92:01 (04:01:70:64:92:01)
Destination: 04:01:70:64: 92:01 (04:01:70:64:92:01)
Address: 04:01:70:64:92:01 (04:01:70:64:92:01)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... ... .= IG bit: Individual address (unicast)
Source: 84:b5:9c:fa:10:30 (84:b5:9c:fa:10:30)
Address: 84:b5:9c:fa:10:30 ( 84:b5:9c:fa:10:30)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... ... .=IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 43.229.53.21 (43.229.53.21), Dst: 188.166.15.31 (188.166.15.31)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification : Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 52
Identification: 0x2078 (8312)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 54
Protocol: TCP (6)
Header checksum: 0xf78c [validation disabled]
[Good: False]
[Bad: False]
Source: 43.229.53.21 (43.229 .53.21)
Destination: 188.166.15.31 (188.166.15.31)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 11413 (11413), Dst Port: 22 (22), Seq: 1, Ack : 1, Len: 0
Source port: 11413 (11413)
Destination port: 22 (22)
[Stream index: 0]
Sequence number: 1 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .. .. .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 229
[Calculated window size: 229]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x460c [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP ), Timestamps
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No.00
. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
Timestamps: TSval 12594167, TSecr 572535019
Kind: Timestamp (8)
Length: 10
Timestamp value: 12594167
Timestamp echo reply: 572535019
0000 04 01 70 64 92 01 84 b5 9c fa 10 30 08 00 45 00 ...... ..0..E.
0010 00 34 20 78 40 00 36 06 f7 8c 2b e5 35 15 bc a6 .4 [email protected]+.5...
0020 0f 1f 2c 95 00 16 e5 ab 0b fa dd 65 87 93 80 10 . .,........e....
0030 00 e5 46 0c 00 00 01 01 08 0a 00 c0 2b f7 22 20 ..F.........+.\"
0040 30 eb 0.
And there are 19 such
Frames.Unfortunately, I can’t understand anything here, so I hope for your help