New botnet launch?

Jon Lewis jlewis at lewis.org
Fri Feb 19 09:28:20 CST 2010


On Fri, 19 Feb 2010, Drew Weaver wrote:

> All,
>
> We noticed at around midnight for a brief period of time and around 6AM 
> EST for an extended period that several hosted customer servers (4 
> completely different customers) launched quite a campaign doing 100Mbps 
> during these times (on 100Mbps ports).
>
> The thing I find 'suspicious' is that all of the machines connected 
> Interfaces said they were sending out 200Mbps (on 100Mbps links) and 
> that they all had the same exact traffic profile (MRTG, etc).
>
> 5 minute input rate 213353000 bits/sec, 18516 packets/sec
>  5 minute output rate 583000 bits/sec, 855 packets/sec

If these "100Mbps ports" are 100BaseT ethernet, and your switch(es) 
reported them receiving 213353000 bits/sec, I'd be more suspicious of 
cisco counter bugs than a new botnet.  100BaseT can't do that.  Cisco has 
a long history of writing code that can't count properly.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list