New botnet launch?

Drew Weaver drew.weaver at thenap.com
Fri Feb 19 15:49:32 UTC 2010


Sorry, the point was that MRTG and other metrics also showed that they were doing 100Mbps, and I am well aware of counter bugs in Cisco's IOS but it has never been that out of whack (on several different switches) before, also the fact that all of these hosts are Windows 2003 and had the exact same SNMP metrics is kind of suspicious to me, but maybe I'm wrong.

-----Original Message-----
From: Jon Lewis [mailto:jlewis at lewis.org] 
Sent: Friday, February 19, 2010 10:28 AM
To: Drew Weaver
Cc: 'nanog at nanog.org'
Subject: Re: New botnet launch?

On Fri, 19 Feb 2010, Drew Weaver wrote:

> All,
>
> We noticed at around midnight for a brief period of time and around 6AM 
> EST for an extended period that several hosted customer servers (4 
> completely different customers) launched quite a campaign doing 100Mbps 
> during these times (on 100Mbps ports).
>
> The thing I find 'suspicious' is that all of the machines connected 
> Interfaces said they were sending out 200Mbps (on 100Mbps links) and 
> that they all had the same exact traffic profile (MRTG, etc).
>
> 5 minute input rate 213353000 bits/sec, 18516 packets/sec
>  5 minute output rate 583000 bits/sec, 855 packets/sec

If these "100Mbps ports" are 100BaseT ethernet, and your switch(es) 
reported them receiving 213353000 bits/sec, I'd be more suspicious of 
cisco counter bugs than a new botnet.  100BaseT can't do that.  Cisco has 
a long history of writing code that can't count properly.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list