Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Updated Droplet for Monitoring, now sending a lot of data to syslog Question Question
my droplet powered off automatically overnight Question Question

Question

Weird spikey CPU load curve over 90 minutes

Posted December 4, 2015 3.2k views
UbuntuDigitalOceanMonitoring

Yesterday, I found my Asterisk server was getting hammered by someone trying to hack their way in. So I closed of ALL ports except ssh for my IP, and the IP of the server I peer too. Instant load reduction, all good.

But this afternoon, I noticed this very weirdly shaped CPU load graph - I don’t think it’s incoming packets getting blocked, otherwise the network traffic would be increased too, correct?

I checked all the logs - no logins, nothing in the error log… I’m baffled by the shape of it too! Screenshot: https://www.dropbox.com/s/5g8kl6nm95x1tqv/ScreenClip%20%5B6%5D.png?dl=0

Add a comment
jonathan
By:
jonathan

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Updated Droplet for Monitoring, now sending a lot of data to syslog Question Question
my droplet powered off automatically overnight Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer
jtittle1 December 4, 2015

@jonathan

It very well could be from repeated attempts to continue an attack where the previous left off. Even if a rule or set of rules is/are in place, that doesn’t mean that CPU, or resources in general, will not be used. If it is indeed an attack, in my experience (spanning ~15 years), only a handful only try once and call it a day. If someone is truly trying to get in, they’ll keep trying until a). they get bored or; b). they no longer see it as a fruitful event.

As for a potential increase in network usage, it really depends. In most cases, you would see a spike, though if we’re potentially looking at a small brute force attempt being repeated, perhaps not.

Beyond that, I would check top and check the value of wa, which would reference I/O. If that value is spiking, you may want to install something such as iotop (similar to top but specifically for io) and run it (like top, you’d simply run iotop from the CLI) to get a slightly more in-depth look at what is causing the IO to rise.

Reply Report
  • jonathan December 5, 2015

    Thanks @jtittle - I couldn’t find anything. As well as absolutely no networks or disk spike, the other weird part about it is the shape of the spikes - Asterisk always uses about 2-3% CPU. But those spikes go flatline right to zero, and yet the Asterisk logs show it was up and chatting away with its normal SIP messages during that time. I think I’m just going to put this down to a logger bug maybe? Is that possible?

    Reply Report

Related

Looking for something else?

Ask a new question Search for more help