Get alerted when assets are down, slow, or vulnerable to SSL attacks—all free for a month. Learn more

Question

Weird spikey CPU load curve over 90 minutes

Yesterday, I found my Asterisk server was getting hammered by someone trying to hack their way in. So I closed of ALL ports except ssh for my IP, and the IP of the server I peer too. Instant load reduction, all good.

But this afternoon, I noticed this very weirdly shaped CPU load graph - I don’t think it’s incoming packets getting blocked, otherwise the network traffic would be increased too, correct?

I checked all the logs - no logins, nothing in the error log… I’m baffled by the shape of it too! Screenshot: https://www.dropbox.com/s/5g8kl6nm95x1tqv/ScreenClip [6].png?dl=0

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Jonathan TittleDecember 4, 2015

@jonathan

It very well could be from repeated attempts to continue an attack where the previous left off. Even if a rule or set of rules is/are in place, that doesn’t mean that CPU, or resources in general, will not be used. If it is indeed an attack, in my experience (spanning ~15 years), only a handful only try once and call it a day. If someone is truly trying to get in, they’ll keep trying until a). they get bored or; b). they no longer see it as a fruitful event.

As for a potential increase in network usage, it really depends. In most cases, you would see a spike, though if we’re potentially looking at a small brute force attempt being repeated, perhaps not.

Beyond that, I would check top and check the value of wa, which would reference I/O. If that value is spiking, you may want to install something such as iotop (similar to top but specifically for io) and run it (like top, you’d simply run iotop from the CLI) to get a slightly more in-depth look at what is causing the IO to rise.

Try DigitalOcean for free

Click below to sign up and get $100 of credit to try our products over 60 days!

Sign up