[122677] in North American Network Operators' Group
Re: New botnet launch?
daemon@ATHENA.MIT.EDU (Jon Lewis)
Fri Feb 19 10:28:56 2010
Date: Fri, 19 Feb 2010 10:28:20 -0500 (EST)
From: Jon Lewis <jlewis@lewis.org>
To: Drew Weaver <drew.weaver@thenap.com>
In-Reply-To: <F3318834F1F89D46857972DD4B411D700184437EBE@EXCHANGE.thenap.com>
Cc: "'nanog@nanog.org'" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 19 Feb 2010, Drew Weaver wrote:
> All,
>
> We noticed at around midnight for a brief period of time and around 6AM
> EST for an extended period that several hosted customer servers (4
> completely different customers) launched quite a campaign doing 100Mbps
> during these times (on 100Mbps ports).
>
> The thing I find 'suspicious' is that all of the machines connected
> Interfaces said they were sending out 200Mbps (on 100Mbps links) and
> that they all had the same exact traffic profile (MRTG, etc).
>
> 5 minute input rate 213353000 bits/sec, 18516 packets/sec
> 5 minute output rate 583000 bits/sec, 855 packets/sec
If these "100Mbps ports" are 100BaseT ethernet, and your switch(es)
reported them receiving 213353000 bits/sec, I'd be more suspicious of
cisco counter bugs than a new botnet. 100BaseT can't do that. Cisco has
a long history of writing code that can't count properly.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
