I seem to have got the wrong end of the stick here.
I've now been told from the data centre that provides my server that the dos attack was in fact FROM my server to that remote IP. It was in fact 1.5 tb of requests to port 50910.
My disk usage didn't increase for this period.
Any ideas where to look to discover where on my system the attack originated from?