Yes, the traffic is coming from 1 ip addess to multiple ip addresses when the link is down. It only happens when I break a link in the ospf area. I block multiple dns responses from servers when the connection limit is higher than 40 a botnet detection type of rule. The 0 rx rate is cause im dropping the traffic because it met the rule.I'm not sure that I follow your question.
The traffic in the graphic is DNS lookups which are failing - note the zero rx rate.
When the link goes down the routes are dropped from the routing table. So the traffic has no where to go, but to be dropped. I do host 2 dns servers but this traffic's DST is port 53 on all the ip addresses that are down, but why would the ip addresses that are down be receiving traffic on 53 anyway if it wasnt a DNS server. I can do a pcap and post it if that would help.There are actually multiple IPs showing on both sides - both your IPs and external. Not really enough information to know what is going on, but assuming that you do actually run DNS services which are accessed from external addresses (i.e. DNS services for sites you are hosting etc.) check that when the link is down you aren't bouncing the DNS traffic around in a routing loop.
There is 0 NATs in this router. The routing is dynamic via OSPF.I suggest looking at your routing and NAT entries to unravel this.
If external clients are sending DNS queries to your IP range and your internal route to those IPs is down then you *might* be sending the traffic back out to your ISP who promptly sends it back to you giving the appearance of heavy traffic.
