My server suffered DDoS flood, inbound traffic 30M/s, 68465 SYN per second for more than 10 hours. And then they null-routed my IPs.

But they claimed my server was performing DDoS attacks against other at the same time.

What is the probability that a server performed DDoS attack in the meantime of suffering heave attack?

And I noticed that the other servers received TCP SYN ACK. Is this likely reply traffic?

Could it be that your firewall was making the packets rebound???
That it sended back the packets to the other server?

TCP SYN ACK translates to an ACKnowledgment packet sent back to the originating PC to acknowledge the 3-way handshake of TCP sessions.

DDoS's work by forging the source IP to something internal to the targetted network, once the packet gets into the network, the devices falsly handle which direction the packets are flowing and literally 'pile up' till they are flushed out of the system.

It is for that reason that DDoS's are hard to determine thier real origin after x-amount of time has passed unless logging is performed and can be researched. ThePlanet Engineers did the last resort action they could by telling the incomming packets destined for your server to be instantly dropped. That way thier own network integrity isn't at stake.

If you're not doing so already, I'd submit a trouble ticket to have your server rebooted (properly) and IP's made public again and IMMEDIATELY check for any viruses/etc so you can rule your machine out as being infected.

Thank you for your help.
But I don't actually understand how to record highest as 70M/s data to avoid the same story happen again.

Thanks again!