After the fact, without special utilities, such things are extremely difficult to establish. One and a half gigabits of UDP flood could fly to you, which the server could not process with all the desire (not even because of ksoftirqd, but simply because the interfaces do not hold so much or the provider's channel already). But in general, a strange DDoS for 15 minutes, this is unjustified and not necessary, except perhaps as a test of the pen before real problems.
Pull the TP, let them look at the stats on the interfaces and other diagnostics if this is not available to you. In the meantime, she answers, configure atop, sar, anything you like, just to collect diagnostics and add them to a file. Then, after recovery, it will be possible to raise the history and track what happened. atop has a convenient ncurses interface, sar collects very deep diagnostics.

If the logs are empty, there was probably simply no Internet.