服务器流入流量基本未变，流出流量突然成倍增长是什么原因？

如何监控流入流出流量？请教。。。

是否有视频或者大型文件在服务器上。如果有可能是迅雷或者干的。

查查日志？

@mahone3297 最简单的，阿里云云盾里可以很清楚的看到，如果你不是阿里云的主机，可以装个安全狗也能看到。

@hq5261984 没有视频或大型文件，就几个静态页面，连数据库都没。

@mhycy 恩，正在翻日志。

iftop

被盗链了？

@ShunYea 就几个静态页面，连图都没，不存在盗链。
阿里云给了个关闭UDP外发的脚本
check_os_release()
{
while true
do
os_release=$(grep "Red Hat Enterprise Linux Server release" /etc/issue 2>/dev/null)
os_release_2=$(grep "Red Hat Enterprise Linux Server release" /etc/redhat-release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null 2>&1
then
os_release=redhat5
echo "$os_release"
elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
then
os_release=redhat6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "Aliyun Linux release" /etc/issue 2>/dev/null)
os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null 2>&1
then
os_release=aliyun5
echo "$os_release"
elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
then
os_release=aliyun6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
os_release_2=$(grep "CentOS release" /etc/*release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "release 5" >/dev/null 2>&1
then
os_release=centos5
echo "$os_release"
elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
then
os_release=centos6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
os_release_2=$(grep -i "ubuntu" /etc/lsb-release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "Ubuntu 10" >/dev/null 2>&1
then
os_release=ubuntu10
echo "$os_release"
elif echo "$os_release"|grep "Ubuntu 12.04" >/dev/null 2>&1
then
os_release=ubuntu1204
echo "$os_release"
elif echo "$os_release"|grep "Ubuntu 12.10" >/dev/null 2>&1
then
os_release=ubuntu1210
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "Linux 6" >/dev/null 2>&1
then
os_release=debian6
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
if [ "$os_release" ] && [ "$os_release_2" ]
then
if echo "$os_release"|grep "13.1" >/dev/null 2>&1
then
os_release=opensuse131
echo "$os_release"
else
os_release=""
echo "$os_release"
fi
break
fi
break
done
}

exit_script()
{
echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
rm -f $LOCKfile
exit 1
}

config_iptables()
{
iptables -I OUTPUT 1 -p tcp -m multiport --dport 21,22,23,25,53,80,135,139,443,445 -j DROP
iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 -j DROP
iptables -I OUTPUT 3 -p udp -j DROP
iptables -nvL
}

ubuntu_config_ufw()
{
ufw deny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
ufw deny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
ufw deny out proto udp to any
ufw status
}

####################Start###################
#check lock file ,one time only let the script run one time
LOCKfile=/tmp/.$(basename $0)
if [ -f "$LOCKfile" ]
then
echo -e "\033[1;40;31mThe script is already exist,please next time to run this script.\n\033[0m"
exit
else
echo -e "\033[40;32mStep 1.No lock file,begin to create lock file and continue.\n\033[40;37m"
touch $LOCKfile
fi

#check user
if [ $(id -u) != "0" ]
then
echo -e "\033[1;40;31mError: You must be root to run this script, please use root to execute this script.\n\033[0m"
rm -f $LOCKfile
exit 1
fi

echo -e "\033[40;32mStep 2.Begen to check the OS issue.\n\033[40;37m"
os_release=$(check_os_release)
if [ "X$os_release" == "X" ]
then
echo -e "\033[1;40;31mThe OS does not identify,So this script is not executede.\n\033[0m"
rm -f $LOCKfile
exit 0
else
echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
fi

echo -e "\033[40;32mStep 3.Begen to config firewall.\n\033[40;37m"
case "$os_release" in
redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
service iptables start
config_iptables
;;
debian6)
config_iptables
;;
ubuntu10|ubuntu1204|ubuntu1210)
ufw enable <<EOF
y
EOF
ubuntu_config_ufw
;;
opensuse131)
config_iptables
;;
esac

echo -e "\033[40;32mConfig firewall success,this script now exit!\n\033[40;37m"
rm -f $LOCKfile

@mahone3297 iptraf等或者监控宝之类的网站，也可以问机房要MRTG
@bobopu 还是看网站日志~~

tcpdump抓包分析。
之前有遇到类似情况，当网络丢包严重时，系统会将无ack响应的数据库重发，间接导致流出数据量翻倍。

@hydrazt 哥们，太感谢你了，果然是这台服务器在将数据包转发到另一台服务器（死机）时得不到响应，持续发包所致，重启后解决。

珍爱生命，远离安全狗。

@wzxjohn 这个东西也并非一无是处，设置起来比较简便。但坑爹的是我有台阿里云的win服务器，在装了安全狗打开ARP后，服务器就像癫痫发作一样，一阵能联网一阵又不行，把阿里云的工程师都给搞晕了，找了一圈都没发现问题所在，最后原来是ARP防御模块似乎与阿里云的网络环境不兼容所致。

@mahone3297 vnstat

@bobopu Win的安全狗隐患更大，很多人因为安全狗导致了各种Bug，最后一查都是安全狗的原因。

@wzxjohn 现在在win服务器上安装的是SEP12，效果挺好。