Unusual outbound traffic on NetBSD 5_Stable Firewall

[yancm%SDF.ORG@localhost]

I have a long serving 5_Stable i386 firewall/nat/server box between my
home network and a cable modem. I'm the only user, I do not permit root
login. SSH and www are the only direct incoming protocols I allow.

Just recently my network started coming to a crawl and I noticed high
outbound traffic on my outward facing interface wm0 with no reciprocal
traffic from my home network on wm1.

I noticed this problem yesterday and I chose to reboot the system since it
had been up for over 60 days, though I've had it up over 6 months in the
past with no issues... the problem went away...then came back this
morning.

Here is the interface statistics overnight (note Opkts on wm0):
Name            Ipkts  Ierrs        Opkts  Oerrs  Colls
wm0           1347651      0     28525508      0      0
wm1            602756      2       892120      0      0
lo0               618      0          618      0      0

I immediately killed all the small server programs I had running (web,
chat, inetd), yet the traffic continued to saturate wm0 to my cable modem.

I used iftop to see what address was receiving the majority of the
traffic, but this does not tell me what process. I tried blocking the
address and restarting ipf with this address blocked by rule, but the
traffic continued. I finally rebooted the system and the upstream
saturation finally went away again. For now...

Since it's been a while (May '13) since I updated kernel and userland, I'm
working on that now. But...

1) How do I figure out what's happening?
2) Has my firewall been compromised?
3) Could my cable box be compromised?

thanks in advance,
gene