[122678] in North American Network Operators' Group
RE: New botnet launch?
daemon@ATHENA.MIT.EDU (Drew Weaver)
Fri Feb 19 10:50:07 2010
From: Drew Weaver <drew.weaver@thenap.com>
To: 'Jon Lewis' <jlewis@lewis.org>
Date: Fri, 19 Feb 2010 10:49:32 -0500
In-Reply-To: <Pine.LNX.4.61.1002191025560.22812@soloth.lewis.org>
Cc: "'nanog@nanog.org'" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Sorry, the point was that MRTG and other metrics also showed that they were=
doing 100Mbps, and I am well aware of counter bugs in Cisco's IOS but it h=
as never been that out of whack (on several different switches) before, als=
o the fact that all of these hosts are Windows 2003 and had the exact same =
SNMP metrics is kind of suspicious to me, but maybe I'm wrong.
-----Original Message-----
From: Jon Lewis [mailto:jlewis@lewis.org]=20
Sent: Friday, February 19, 2010 10:28 AM
To: Drew Weaver
Cc: 'nanog@nanog.org'
Subject: Re: New botnet launch?
On Fri, 19 Feb 2010, Drew Weaver wrote:
> All,
>
> We noticed at around midnight for a brief period of time and around 6AM=20
> EST for an extended period that several hosted customer servers (4=20
> completely different customers) launched quite a campaign doing 100Mbps=20
> during these times (on 100Mbps ports).
>
> The thing I find 'suspicious' is that all of the machines connected=20
> Interfaces said they were sending out 200Mbps (on 100Mbps links) and=20
> that they all had the same exact traffic profile (MRTG, etc).
>
> 5 minute input rate 213353000 bits/sec, 18516 packets/sec
> 5 minute output rate 583000 bits/sec, 855 packets/sec
If these "100Mbps ports" are 100BaseT ethernet, and your switch(es)=20
reported them receiving 213353000 bits/sec, I'd be more suspicious of=20
cisco counter bugs than a new botnet. 100BaseT can't do that. Cisco has=20
a long history of writing code that can't count properly.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
