nanog mailing list archives
RE: New botnet launch?
From: Drew Weaver <drew.weaver () thenap com>
Date: Fri, 19 Feb 2010 10:49:32 -0500
Sorry, the point was that MRTG and other metrics also showed that they were doing 100Mbps, and I am well aware of counter bugs in Cisco's IOS but it has never been that out of whack (on several different switches) before, also the fact that all of these hosts are Windows 2003 and had the exact same SNMP metrics is kind of suspicious to me, but maybe I'm wrong. -----Original Message----- From: Jon Lewis [mailto:jlewis () lewis org] Sent: Friday, February 19, 2010 10:28 AM To: Drew Weaver Cc: 'nanog () nanog org' Subject: Re: New botnet launch? On Fri, 19 Feb 2010, Drew Weaver wrote:
All, We noticed at around midnight for a brief period of time and around 6AM EST for an extended period that several hosted customer servers (4 completely different customers) launched quite a campaign doing 100Mbps during these times (on 100Mbps ports). The thing I find 'suspicious' is that all of the machines connected Interfaces said they were sending out 200Mbps (on 100Mbps links) and that they all had the same exact traffic profile (MRTG, etc). 5 minute input rate 213353000 bits/sec, 18516 packets/sec 5 minute output rate 583000 bits/sec, 855 packets/sec
If these "100Mbps ports" are 100BaseT ethernet, and your switch(es) reported them receiving 213353000 bits/sec, I'd be more suspicious of cisco counter bugs than a new botnet. 100BaseT can't do that. Cisco has a long history of writing code that can't count properly. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- New botnet launch? Drew Weaver (Feb 19)
- Re: New botnet launch? Jon Lewis (Feb 19)
- RE: New botnet launch? Drew Weaver (Feb 19)
- Re: New botnet launch? Jon Lewis (Feb 19)