Hi, volume-based DDoS attacks should often result with following bandwidth graphs: http://s12.postimg.org/gy3eps10t/volume_based_DDo_S_graph.png This is a fabricated bps graph for 100GigE port facing an uplink provider. As seen on the image, outgoing traffic drops at the time when incoming traffic increases. I could see following reasons for this: 1) large portion of traffic uses TCP protocol and in case of congestion(even in one direction), ACK messages are lost and TCP congestion avoidance kicks in and as a result it will reduce the cwnd which in effect reduce the data TCP sender can send 2) certain router platforms share some hardware resources both with Tx and Rx traffic Are those assumptions correct? Are there any other reasons which cause outgoing traffic to drop if incoming traffic is very high or the other way around? thanks, Martin