Weird spikey CPU load curve over 90 minutes

December 4, 2015 2.5k views
DigitalOcean Monitoring Ubuntu
jonathan
By:
jonathan

Yesterday, I found my Asterisk server was getting hammered by someone trying to hack their way in. So I closed of ALL ports except ssh for my IP, and the IP of the server I peer too. Instant load reduction, all good.

But this afternoon, I noticed this very weirdly shaped CPU load graph - I don’t think it’s incoming packets getting blocked, otherwise the network traffic would be increased too, correct?

I checked all the logs - no logins, nothing in the error log… I’m baffled by the shape of it too! Screenshot: https://www.dropbox.com/s/5g8kl6nm95x1tqv/ScreenClip%20%5B6%5D.png?dl=0

Log In to Comment
1 Answer
jtittle1 December 4, 2015

@jonathan

It very well could be from repeated attempts to continue an attack where the previous left off. Even if a rule or set of rules is/are in place, that doesn’t mean that CPU, or resources in general, will not be used. If it is indeed an attack, in my experience (spanning ~15 years), only a handful only try once and call it a day. If someone is truly trying to get in, they’ll keep trying until a). they get bored or; b). they no longer see it as a fruitful event.

As for a potential increase in network usage, it really depends. In most cases, you would see a spike, though if we’re potentially looking at a small brute force attempt being repeated, perhaps not.

Beyond that, I would check top and check the value of wa, which would reference I/O. If that value is spiking, you may want to install something such as iotop (similar to top but specifically for io) and run it (like top, you’d simply run iotop from the CLI) to get a slightly more in-depth look at what is causing the IO to rise.

Reply
  • jonathan December 5, 2015

    Thanks @jtittle - I couldn’t find anything. As well as absolutely no networks or disk spike, the other weird part about it is the shape of the spikes - Asterisk always uses about 2-3% CPU. But those spikes go flatline right to zero, and yet the Asterisk logs show it was up and chatting away with its normal SIP messages during that time. I think I’m just going to put this down to a logger bug maybe? Is that possible?

Have another answer? Share your knowledge.

Related Questions