[80057] in North American Network Operators' Group
Re: New worm?
daemon@ATHENA.MIT.EDU (Peter John Hill)
Fri Apr 22 13:29:54 2005
In-Reply-To: <38d82bb8228ac3d054ca532f67eec485@gizmopartners.com>
Cc: nanog@merit.edu
From: Peter John Hill <peterjhill@cmu.edu>
Date: Fri, 22 Apr 2005 10:27:56 -0700
To: Chris Boyd <cboyd@gizmopartners.com>
Errors-To: owner-nanog@merit.edu
Are they behind a firewall? Are they using private address space? If
not could they have just been owned? Has someone installed an ftp
server on them and are using them to distribute warez or more likely
movies? Perhaps made them bittorrent servers/clients?
Check out Argus... it is a good flow monitoring tool... You can have it
put together variable amount of userdata from all the packets and let
you get a better idea at what is going on than from just looking at raw
netflow data.
Peter
On Apr 21, 2005, at 9:11 PM, Chris Boyd wrote:
>
> Several machines on a resnet that I consult for have started spewing
> traffic--50Mbits/sec all the way up to line rate. We're working on
> discoing the affected machines and getting traffic characteristics.
>
> Anyone else seeing similar?
>
> --Chris
>
>
