RE: New botnet launch?

[Drew Weaver <drew.weaver () thenap com>]

Sorry, the point was that MRTG and other metrics also showed that they were doing 100Mbps, and I am well aware of 
counter bugs in Cisco's IOS but it has never been that out of whack (on several different switches) before, also the 
fact that all of these hosts are Windows 2003 and had the exact same SNMP metrics is kind of suspicious to me, but 
maybe I'm wrong.

-----Original Message-----
From: Jon Lewis [mailto:jlewis () lewis org] 
Sent: Friday, February 19, 2010 10:28 AM
To: Drew Weaver
Cc: 'nanog () nanog org'
Subject: Re: New botnet launch?

On Fri, 19 Feb 2010, Drew Weaver wrote:

> All,
>
> We noticed at around midnight for a brief period of time and around 6AM 
> EST for an extended period that several hosted customer servers (4 
> completely different customers) launched quite a campaign doing 100Mbps 
> during these times (on 100Mbps ports).
>
> The thing I find 'suspicious' is that all of the machines connected 
> Interfaces said they were sending out 200Mbps (on 100Mbps links) and 
> that they all had the same exact traffic profile (MRTG, etc).
>
> 5 minute input rate 213353000 bits/sec, 18516 packets/sec
>  5 minute output rate 583000 bits/sec, 855 packets/sec

If these "100Mbps ports" are 100BaseT ethernet, and your switch(es) 
reported them receiving 213353000 bits/sec, I'd be more suspicious of 
cisco counter bugs than a new botnet.  100BaseT can't do that.  Cisco has 
a long history of writing code that can't count properly.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________