Bizarre ethernet problems with DietPi on native PC, home network slows down

Creating a bug report/issue

I have searched the existing open and closed issues

Required Information

• DietPi version | 9.8.0 master
• Distro version | bookworm
• Kernel version | Linux Nebelung 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64 GNU/Linux
• Architecture | amd64
• SBC model | Native PC (x86_64)
• Power supply used | Unknown
• SD card used | N/A

Additional Information (if applicable)

• I’ve been using DietPi on a native PC for about a year now. I’m running several services on it, including Nextcloud, a node.js webserver, Jellyfin, Gitea, nginx, Pi-hole, among others.
• Everything was fine until January 3rd this year. Nothing happened when the problem started, it just started very suddenly.
• Even when turning off all of my services manually, the problem persists until the PC loses ethernet connection (sudo reboot, sudo poweroff, unplug ethernet, disable ethernet in dietpi-config).
• The problem affects the entire household network, ie. all computers, phones, wifi
• I took my PC to a repair person who uses Linux (I’m relatively a novice to Linux stuff). He saw the same problem when testing on his own home network. He concluded the problem was I was using DietPi, or my installation is wrong somehow, and running something like Linux Mint doesn’t cause the problem. I don’t know how true that is, but I figured I’d post here.
• It’s entirely possible this is a hardware issue, but frankly I don’t know. I’d like a second opinion on if I need a new motherboard. If this is the wrong place for this, let me know where to post?

Steps to reproduce

1. I boot up my PC, my systemd services automatically start
2. (Optional) I turn off all my custom services
3. After a seemingly random amount of time, sometimes a few minutes, sometimes a few hours, my home network becomes unusably slow, for all devices. All videos, chat services like Discord, and network connectivity in general are extremely slow. At this point I can’t even download packages on my DietPi PC.
4. The internet only returns to health the instant I shut off the ethernet adapter in dietpi-config, or from unplugging my ethernet cable. If I instead reboot the modem or PC, the problem happens again shortly after.

Extra details

• I had an ISP technician come over in January who diagnosed the issue as voltage backfeed from somewhere in the house going to the modem and causing slowdown in all traffic. This leads me to assume the problem is my motherboard?
• I installed a PCIe ethernet card (eth1) to use instead of the motherboard’s onboard ethernet. No change.
• When the problem occurs, local connections are affected as well, ie. I can’t ssh into the DietPi PC anymore.

This looks tricky problem. I doubt it is caused by “voltage backfeed”.
A few steps to troubleshoot it better and narrow down the culprit.

1. Boot some other Linux OS, like Mint from a USB drive. This will definitely rule out some hardware issue.
2. Boot a fresh installation of Dietpi on a separate hdd/ssd or take backup and then install on the same drive.
3. Turn off one by one the dietpi-services when the problem occurs and see if it is caused by some service.
4. When the problem occurs you could run some network diagnostics, like iptraf-ng, nload, tcpdump to look for anomalies.

Hi, thanks for replying

1. The other night I booted Linux Mint install media off a flash drive, put on a youtube livestream and let it sit overnight. No network problems for anyone as far as I could tell. But also given that the problem has sometimes gone days without happening, that might be inconclusive.
2. Haven’t done this yet. How can I make a backup that includes all my files eg. nginx settings, systemd services, users and files?
3. I stopped all dietpi-services after the problem happened. No effect.
4. I didn’t have any of the tools listed so I installed tcpdump quickly, did sudo tcpdump and let it sit. When the problem is happening, tcpdump is absolutely swarmed with entries from my device to ips I don’t recognize.

Partial output of tcpdump, there was just a lot of this:

19:23:04.894203 IP 10.0.0.164.60259 > 149.104.172.13.http-alt: Flags [S], seq 960824102:960825126, win 64722, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894212 IP 10.0.0.164.16069 > 149.104.172.13.http-alt: Flags [S], seq 2065413665:2065414689, win 62045, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894221 IP 10.0.0.164.30765 > 149.104.172.13.http-alt: Flags [S], seq 1003678650:1003679674, win 65122, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894230 IP 10.0.0.164.60954 > 149.104.172.13.http-alt: Flags [S], seq 3977812840:3977813864, win 62244, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894238 IP 10.0.0.164.50777 > 149.104.172.13.http-alt: Flags [S], seq 157871975:157872999, win 63501, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894247 IP 10.0.0.164.62013 > 149.104.172.13.http-alt: Flags [S], seq 3717812083:3717813107, win 60696, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894257 IP 10.0.0.164.54949 > 149.104.172.13.http-alt: Flags [S], seq 351541035:351542059, win 60437, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894265 IP 10.0.0.164.30387 > 149.104.172.13.http-alt: Flags [S], seq 2010112699:2010113723, win 61021, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894274 IP 10.0.0.164.49550 > 149.104.172.13.http-alt: Flags [S], seq 3769273698:3769274722, win 64259, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894283 IP 10.0.0.164.36295 > 149.104.172.13.http-alt: Flags [S], seq 3196483007:3196484031, win 60391, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894310 IP 10.0.0.164.14720 > 149.104.172.13.http-alt: Flags [S], seq 3504530584:3504531608, win 65399, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894310 IP 10.0.0.164.53717 > 149.104.172.13.http-alt: Flags [S], seq 2644486838:2644487862, win 63795, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894323 IP 10.0.0.164.60997 > 149.104.172.13.http-alt: Flags [S], seq 1881368204:1881369228, win 65345, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894324 IP 10.0.0.164.31946 > 149.104.172.13.http-alt: Flags [S], seq 327110642:327111666, win 61389, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894337 IP 10.0.0.164.24876 > 149.104.172.13.http-alt: Flags [S], seq 3873353929:3873354953, win 62515, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894338 IP 10.0.0.164.14335 > 149.104.172.13.http-alt: Flags [S], seq 1994197316:1994198340, win 64293, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894362 IP 10.0.0.164.29794 > 149.104.172.13.http-alt: Flags [S], seq 2999526594:2999527618, win 62640, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894363 IP 10.0.0.164.8708 > 149.104.172.13.http-alt: Flags [S], seq 2651159248:2651160272, win 60364, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894375 IP 10.0.0.164.25342 > 149.104.172.13.http-alt: Flags [S], seq 2210507666:2210508690, win 65469, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894403 IP 10.0.0.164.63876 > 149.104.172.13.http-alt: Flags [S], seq 2325756523:2325757547, win 60133, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894403 IP 10.0.0.164.19145 > 149.104.172.13.http-alt: Flags [S], seq 3780180892:3780181916, win 61355, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894404 IP 10.0.0.164.63093 > 149.104.172.13.http-alt: Flags [S], seq 3359947723:3359948747, win 63820, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894421 IP 10.0.0.164.55776 > 149.104.172.13.http-alt: Flags [S], seq 807420040:807421064, win 65034, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894422 IP 10.0.0.164.44954 > 149.104.172.13.http-alt: Flags [S], seq 1583371962:1583372986, win 64013, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894423 IP 10.0.0.164.65339 > 149.104.172.13.http-alt: Flags [S], seq 571368979:571370003, win 60122, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894434 IP 10.0.0.164.redis > 149.104.172.13.http-alt: Flags [S], seq 1197209121:1197210145, win 63575, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: RESP [|resp]
19:23:04.894444 IP 10.0.0.164.49499 > 149.104.172.13.http-alt: Flags [S], seq 1609480452:1609481476, win 64317, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894445 IP 10.0.0.164.16616 > 149.104.172.13.http-alt: Flags [S], seq 1328489515:1328490539, win 61186, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894469 IP 10.0.0.164.5055 > 149.104.172.13.http-alt: Flags [S], seq 2294599936:2294600960, win 60039, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894470 IP 10.0.0.164.57665 > 149.104.172.13.http-alt: Flags [S], seq 3085679842:3085680866, win 60359, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894476 IP 10.0.0.164.34572 > 149.104.172.13.http-alt: Flags [S], seq 1083398791:1083399815, win 63154, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894478 IP 10.0.0.164.54051 > 149.104.172.13.http-alt: Flags [S], seq 933092510:933093534, win 61144, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894488 IP 10.0.0.164.5584 > 149.104.172.13.http-alt: Flags [S], seq 740054641:740055665, win 64130, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894497 IP 10.0.0.164.48832 > 149.104.172.13.http-alt: Flags [S], seq 2182635607:2182636631, win 61360, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894505 IP 10.0.0.164.20596 > 149.104.172.13.http-alt: Flags [S], seq 1991614008:1991615032, win 61387, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894514 IP 10.0.0.164.10415 > 149.104.172.13.http-alt: Flags [S], seq 3328600516:3328601540, win 64991, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894524 IP 10.0.0.164.15907 > 149.104.172.13.http-alt: Flags [S], seq 3889926684:3889927708, win 63688, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894532 IP 10.0.0.164.38367 > 149.104.172.13.http-alt: Flags [S], seq 4003707486:4003708510, win 60132, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894541 IP 10.0.0.164.22077 > 149.104.172.13.http-alt: Flags [S], seq 2683543330:2683544354, win 64541, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894550 IP 10.0.0.164.32237 > 149.104.172.13.http-alt: Flags [S], seq 655748041:655749065, win 63855, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894559 IP 10.0.0.164.10433 > 149.104.172.13.http-alt: Flags [S], seq 1704207826:1704208850, win 60566, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894568 IP 10.0.0.164.17038 > 149.104.172.13.http-alt: Flags [S], seq 3412450601:3412451625, win 64680, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894577 IP 10.0.0.164.16057 > 149.104.172.13.http-alt: Flags [S], seq 1353317729:1353318753, win 63371, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894586 IP 10.0.0.164.38308 > 149.104.172.13.http-alt: Flags [S], seq 778716465:778717489, win 63715, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894595 IP 10.0.0.164.63523 > 149.104.172.13.http-alt: Flags [S], seq 1571320013:1571321037, win 64213, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894604 IP 10.0.0.164.25583 > 149.104.172.13.http-alt: Flags [S], seq 3980841495:3980842519, win 64734, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894612 IP 10.0.0.164.33176 > 149.104.172.13.http-alt: Flags [S], seq 2905120908:2905121932, win 61631, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894621 IP 10.0.0.164.61998 > 149.104.172.13.http-alt: Flags [S], seq 2097172203:2097173227, win 61022, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
19:23:04.894632 IP 10.0.0.164.20042 > 149.104.172.13.http-alt: Flags [S], seq 1127745310:1127746334, win 62413, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP
^C19:23:22.895128 IP 10.0.0.164.2251 > 212.24.127.191.http-alt: Flags [S], seq 134278550:134279574, win 62666, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 1024: HTTP

5657 packets captured
4402323 packets received by filter
4394757 packets dropped by kernel

Here’s the output of dmesg before and after using dietpi-config to restart networking:

[    7.878591] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[    7.878594] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
[    8.959365] Initializing XFRM netlink socket
[    8.978715] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[   10.125114] br-f2c72f64f521: port 1(veth7df0d10) entered blocking state
[   10.125117] br-f2c72f64f521: port 1(veth7df0d10) entered disabled state
[   10.125602] device veth7df0d10 entered promiscuous mode
[   10.125932] br-f2c72f64f521: port 1(veth7df0d10) entered blocking state
[   10.125934] br-f2c72f64f521: port 1(veth7df0d10) entered forwarding state
[   10.125962] br-f2c72f64f521: port 1(veth7df0d10) entered disabled state
[   10.305027] eth0: renamed from veth36857d1
[   10.329040] br-f2c72f64f521: port 1(veth7df0d10) entered blocking state
[   10.329043] br-f2c72f64f521: port 1(veth7df0d10) entered forwarding state
[   11.507320] r8168: eth1: link up
[   11.667706] br-715b18a476c6: port 1(veth3bf3387) entered blocking state
[   11.667710] br-715b18a476c6: port 1(veth3bf3387) entered disabled state
[   11.667928] device veth3bf3387 entered promiscuous mode
[   11.668090] br-715b18a476c6: port 1(veth3bf3387) entered blocking state
[   11.668092] br-715b18a476c6: port 1(veth3bf3387) entered forwarding state
[   11.668127] br-715b18a476c6: port 1(veth3bf3387) entered disabled state
[   11.673534] br-b93c19b13c7c: port 1(vethea62321) entered blocking state
[   11.673538] br-b93c19b13c7c: port 1(vethea62321) entered disabled state
[   11.673579] device vethea62321 entered promiscuous mode
[   11.673642] br-b93c19b13c7c: port 1(vethea62321) entered blocking state
[   11.673644] br-b93c19b13c7c: port 1(vethea62321) entered forwarding state
[   11.673675] br-b93c19b13c7c: port 1(vethea62321) entered disabled state
[   11.776967] nvidia_uvm: module uses symbols nvUvmInterfaceDisableAccessCntr from proprietary module nvidia, inheriting taint.
[   11.816471] nvidia-uvm: Loaded the UVM driver, major device number 237.
[   11.909282] eth0: renamed from veth430a4aa
[   11.961261] br-715b18a476c6: port 1(veth3bf3387) entered blocking state
[   11.961265] br-715b18a476c6: port 1(veth3bf3387) entered forwarding state
[   11.961372] eth0: renamed from vetha1dfbbf
[   11.992978] br-b93c19b13c7c: port 1(vethea62321) entered blocking state
[   11.992981] br-b93c19b13c7c: port 1(vethea62321) entered forwarding state
[   13.091641] tun: Universal TUN/TAP device driver, 1.6
[   29.978744] br-b93c19b13c7c: port 1(vethea62321) entered disabled state
[   29.979631] vetha1dfbbf: renamed from eth0
[   30.024255] br-b93c19b13c7c: port 1(vethea62321) entered disabled state
[   30.024954] device vethea62321 left promiscuous mode
[   30.024956] br-b93c19b13c7c: port 1(vethea62321) entered disabled state
[   58.172932] br-f2c72f64f521: port 1(veth7df0d10) entered disabled state
[   58.173484] veth36857d1: renamed from eth0
[   58.224492] br-f2c72f64f521: port 1(veth7df0d10) entered disabled state
[   58.245503] device veth7df0d10 left promiscuous mode
[   58.245507] br-f2c72f64f521: port 1(veth7df0d10) entered disabled state
[   66.786122] br-715b18a476c6: port 1(veth3bf3387) entered disabled state
[   66.786688] veth430a4aa: renamed from eth0
[   66.824538] br-715b18a476c6: port 1(veth3bf3387) entered disabled state
[   66.825426] device veth3bf3387 left promiscuous mode
[   66.825428] br-715b18a476c6: port 1(veth3bf3387) entered disabled state
[  128.844881] nf_conntrack: nf_conntrack: table full, dropping packet
[  130.809970] nf_conntrack: nf_conntrack: table full, dropping packet
[  131.169865] nf_conntrack: nf_conntrack: table full, dropping packet
[  131.226916] nf_conntrack: nf_conntrack: table full, dropping packet
[  133.614716] nf_conntrack: nf_conntrack: table full, dropping packet
[  133.620388] nf_conntrack: nf_conntrack: table full, dropping packet
[  133.677747] nf_conntrack: nf_conntrack: table full, dropping packet
[  133.797363] nf_conntrack: nf_conntrack: table full, dropping packet
[  134.026252] nf_conntrack: nf_conntrack: table full, dropping packet
[  140.730630] eth1: 0xffffafbac00d1000, 8c:90:2d:d7:76:b8, IRQ 128
[  141.040125] nf_conntrack: nf_conntrack: table full, dropping packet
[  141.069789] nf_conntrack: nf_conntrack: table full, dropping packet
[  141.120903] nf_conntrack: nf_conntrack: table full, dropping packet
[  141.153858] nf_conntrack: nf_conntrack: table full, dropping packet
[  141.161998] nf_conntrack: nf_conntrack: table full, dropping packet
[  141.166138] nf_conntrack: nf_conntrack: table full, dropping packet
[  141.260150] nf_conntrack: nf_conntrack: table full, dropping packet
[  141.290585] nf_conntrack: nf_conntrack: table full, dropping packet
[  141.391194] nf_conntrack: nf_conntrack: table full, dropping packet
[  141.416393] nf_conntrack: nf_conntrack: table full, dropping packet
[  144.883386] r8168: eth1: link up

I also thought it might be helpful to include /etc/network/interfaces? Might be unnecessary, but doesn’t hurt right?

dietpi@Nebelung:~$ cat /etc/network/interfaces
# Location: /etc/network/interfaces
# Please modify network settings via: dietpi-config
# Or create your own drop-ins in: /etc/network/interfaces.d/

# Drop-in configs
source interfaces.d/*

# Ethernet
allow-hotplug eth1
iface eth1 inet static
address 10.0.0.164
netmask 255.255.255.0
gateway 10.0.0.1
#dns-nameservers 192.168.2.1 8.8.8.8 8.8.4.4 1.1.1.1

# WiFi
#allow-hotplug wlan0
iface wlan0 inet dhcp
address 192.168.0.100
netmask 255.255.255.0
gateway 192.168.0.1
#dns-nameservers 192.168.2.1 8.8.8.8 8.8.4.4 1.1.1.1
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

And finally I wanted to attach what happens on a different computer while the network is acting up:

$ nslookup google.com
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   google.com
Address: 142.250.114.138
Name:   google.com
Address: 142.250.114.100
Name:   google.com
Address: 142.250.114.113
Name:   google.com
Address: 142.250.114.139
Name:   google.com
Address: 142.250.114.102
Name:   google.com
Address: 142.250.114.101
Name:   google.com
Address: 2607:f8b0:4023:1002::66
Name:   google.com
Address: 2607:f8b0:4023:1002::71
Name:   google.com
Address: 2607:f8b0:4023:1002::8b
Name:   google.com
Address: 2607:f8b0:4023:1002::64

I’m not sure what else to include. Part of the problem is there are other people using the network at my home and I can’t reliably test this without affecting them. I’m also not sure how to use those network tools, again I’m very new to some of this stuff. Thanks for your patience!

Edit: Update some logs. I had a bad /etc/hosts entry that was making my machine’s local ip show up as pi.hole. After removing that, there’s been no change.

Update. I think what’s happening here is I have malware on the PC. I foolishly opened up the ssh port at the end of December and someone remoted in and dropped trojan files on it to run on startup - the time frame fits.

When I run ss, I see this at the very bottom:

???   ESTAB 0      188928                      10.0.0.164:ipproto-255 154.82.68.86:ipproto-80
???   ESTAB 0      170496                      10.0.0.164:ipproto-255 154.82.68.86:ipproto-80
tcp   ESTAB 0      0                           10.0.0.164:ssh             10.0.0.40:33074
tcp   ESTAB 0      0                           10.0.0.164:51708       186.2.171.38:2070
tcp   ESTAB 0      0                           10.0.0.164:59560       186.2.171.38:2070

I’ve discovered that running sudo ss -tp -K dst 186.2.171.38 instantly fixes my problem… for about five seconds, and then a new connection to the same destination appears in ss.

I turned off everything I could think of and see nothing especially suspicious in htop (this is me remoting in from another pc, that’s why it’s styled like this):

image895×481 139 KB

Any advice on doing virus scans or investigating where these rogue connections are coming from? Or should I completely reinstall dietpi?

dietpi-backup

This is actually very insightful. Something is trying to DDoS some IP in Hong Kong.

Yes, that’s a reasonable explanation. Your dietpi has become part of a botnet. Which explains the things you see in tcpdump.

Complete reinstall. Use strong password and SSH keys for the login. Do not open ports from the Internet if there is no reason. Use a VPN server on the router or dietpi to access remotely your devices, rather than open SSH from the Internet.

Totally agree with @trendy

Don’t try to repair this instance and don’t open critical ports towards the internet.