What would cause these odd spikes in bandwidth usage?

Posted January 13, 2017 4.7k views
UbuntuApacheLAMP Stack

I’m getting weird spikes in bandwidth, disk, and CPU usage. What could be causing this? It’s a pretty standard LAMP stack. Only a few days old.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers


When you deploy a droplet, the initial deployment and setup is going to cause CPU, RAM and Disk I/O spikes. This is completely normal and once the droplet is a week old, or older, the graphs will begin to normalize.

  • @jtittle
    but that duration of that spike is almost 5 hour long. also the memory consumption is constantly over 90%. dont you think thats odd?

    • @jacksonwages

      For a new Droplet, not really, though we can always check a few things to see what’s going on and to see if what’s happening is a cause for concern.

      The first thing I would do is check whether your firewall is enabled. If it’s not, some of what you’re seeing could be due to repeated attempts to login by bots or similar. Much of this is and always will be automated, so unless you’re filtering traffic through a firewall, you’re not going to see any reduction.

      You can run the command below to see if ufw is enabled.

      sudo ufw status

      If ufw is not enabled, we need to determine what ports you need open. Most commonly, you should allow ports: 80, 443, and 22 (HTTP, HTTPS, and SSH). We should also setup a default policy to deny connections to any ports that we don’t specifically allow. To do this, we can run:

      sudo ufw default deny

      Then setup the ports we want to allow access on:

      sudo ufw allow 22/tcp \
      && sudo ufw allow 80/tcp \
      && sudo ufw allow 443/tcp

      Now we can enable ufw:

      sudo ufw enable

      It’ll ask you to confirm, simply confirm and your firewall is now enabled and external access will now only be allowed on those 3 ports.

      You can also check you logs in /var/log, or the location of your software-specific logs (i.e. Apache, PHP, etc). Look at the access and error logs and see if there’s anything out of the ordinary, such as odd requests for random files, queries with random strings, etc. If you see things like this, while common, it’ll give you an idea of what someone is looking for.

      These types of requests, much like attempts to login, are automated and since it’s still traffic to your web server, they will use resources to serve the request. There are ways to filter them, though it really depends on what you’re using (i.e. WordPress?) or something else. I know there are WordPress security plugins that will filter bad requests and there are also ways to do it at the server level.

Check your log files in /var/log