New botnet launch?
Jon Lewis
jlewis at lewis.org
Fri Feb 19 15:28:20 UTC 2010
On Fri, 19 Feb 2010, Drew Weaver wrote:
> All,
>
> We noticed at around midnight for a brief period of time and around 6AM
> EST for an extended period that several hosted customer servers (4
> completely different customers) launched quite a campaign doing 100Mbps
> during these times (on 100Mbps ports).
>
> The thing I find 'suspicious' is that all of the machines connected
> Interfaces said they were sending out 200Mbps (on 100Mbps links) and
> that they all had the same exact traffic profile (MRTG, etc).
>
> 5 minute input rate 213353000 bits/sec, 18516 packets/sec
> 5 minute output rate 583000 bits/sec, 855 packets/sec
If these "100Mbps ports" are 100BaseT ethernet, and your switch(es)
reported them receiving 213353000 bits/sec, I'd be more suspicious of
cisco counter bugs than a new botnet. 100BaseT can't do that. Cisco has
a long history of writing code that can't count properly.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG
mailing list