I'm not going to continue to argue with you as you keep failing to read critical portions of what my posts say (INCLUDING THE EDITS!) and thus, it would fall on deaf ears.
No. Eth0 happens to be receiving the traffic I admit, however the IP was assigned to eth0:0 which typically means a virtual MAC address on the node. He claims he removed the eth0:0 interface and that's when this traffic flood started. If the VMAC is gone, why is the main physical MAC receiving...
I never even thought about that. Kudos. However, if he actually disabled the interface that the ip was associated with after removing the IP, wouldn't the result not be a TTL Loop?
Just a thought.
Veddy
EDIT: He's stated that he has no control over the router/L3 switch in a previous post. But...
Okay. Also, the issue i've found out about that .x11 ip is that 1) it's originating from China and 2) several sites pin it as an SSH bruteforcer IP. As for why you're continuing to receive traffic on the host node even though the IP isn't assigned to it, i don't know as of yet.
Thanks for the info. I think I have an answer as for why, but not how to fix it just yet. The issue (I THINK) lies with the IP being disconnected from an interface and that because the server is somehow still receiving the packets, the data in/out is symmetrical because iptables is like, "this...
I would assume (based on your OP) that the ip does belong to you (the one receiving and sending traffic) and by your statement, I assume you checked your net.ipv4.ip_forward setting as well as trying brctl show? I don't know if you host VPS' still but the main thing I can think of is a rogue...
I'm going to fire up my trusty CentOS 6 server. Is there any chance you could either post or pm me a link to a traffic dump? Not knowing a lot about the situation makes it somewhat hard to accurately diagnose. Also, was this IP (the one supposedly attached to your server) at one point attached...