[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New botnet launch?

Subject: New botnet launch?
From: jlewis at lewis.org (Jon Lewis)
Date: Fri, 19 Feb 2010 10:28:20 -0500 (EST)
In-reply-to: <[email protected]>
References: <[email protected]>

On Fri, 19 Feb 2010, Drew Weaver wrote:

> All,
>
> We noticed at around midnight for a brief period of time and around 6AM 
> EST for an extended period that several hosted customer servers (4 
> completely different customers) launched quite a campaign doing 100Mbps 
> during these times (on 100Mbps ports).
>
> The thing I find 'suspicious' is that all of the machines connected 
> Interfaces said they were sending out 200Mbps (on 100Mbps links) and 
> that they all had the same exact traffic profile (MRTG, etc).
>
> 5 minute input rate 213353000 bits/sec, 18516 packets/sec
>  5 minute output rate 583000 bits/sec, 855 packets/sec

If these "100Mbps ports" are 100BaseT ethernet, and your switch(es) 
reported them receiving 213353000 bits/sec, I'd be more suspicious of 
cisco counter bugs than a new botnet.  100BaseT can't do that.  Cisco has 
a long history of writing code that can't count properly.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

Follow-Ups:
- New botnet launch?
  - From: drew.weaver at thenap.com (Drew Weaver)

References:
- New botnet launch?
  - From: drew.weaver at thenap.com (Drew Weaver)

Prev by Date: New botnet launch?
Next by Date: New botnet launch?
Previous by thread: New botnet launch?
Next by thread: New botnet launch?
Index(es):
- Date
- Thread