[Nottingham] Bandwidth Accounting

[Penfold]

Hi

I've got a server in a datacenter where excess bandwidth is charged per
gigabyte. The bandwidth is counted by the hosting provider and I am
charged for the larger of the incoming or outgoing bandwidth per month
over my initial allocation of 5 GiB.

I currently don't host much on there and the bandwidth accounting shows
an average of about 50-100 MiB outgoing per month. However the incoming
bandwidth is metered at a very high level. Typically 2-3 GiB per month
and some months 7 GiB (although I've never been charged for this
excess).

I have another domain at a different hosting provider where the limit is
a combined in/out of 100 MiB / month and I've never exceeded 60% of
this. I know the usage patterns of the two domains are different but I
can't really see that I am uploading that much!

I haven't made deliberate transfers of any significant size (I've only
got 3 GiB of disk space on this account) and I don't have spam filters
that are discarding large amounts of adverts for blue pills or mining
stocks. I currently delete all spam manually.

I do use SSH to connect to this server. I check my email using mutt
rather than POP3/IMAP.

So where is this huge incoming bandwidth coming from?

The server is using User Mode Linux so I don't have the whole box to
myself but I do have root access. It is running Debian Sarge.

Does anyone have any ideas how I could implement my own bandwidth
accounting, hopefully to locate the ports and traffic types that are
eating my incoming bandwidth?

I have a gut feeling it is attack bots trying to compromise my system
and whilst I am reasonably happy with my security policy, I'd like to
know what is going on.

Thanks in advance.

-Penfold