Hi, NANOGers. We've seen these PHP-built botnets for about two years now. They have recently become more popular. This is due to the fact that a very few of these bots can send out far more packet love than a large collection of broadband (generally Windows) bots. Return on investment and all that. Most bots don't attack "forever." The typical bot commands give an attack duration in either packets or time. I suspect that'll be the case with this botnet, so the attack may not last for months. In other words, it would be wise to check those flows sooner rather than later. Folks shouldn't focus solely on PHP, though that is the rage du jour. Even the venerable PhatBot family, generally used to compromise hosts running Windows, had a Linux spreader in it. Increasingly Unix systems and Cisco routers are the primary targets. Keep in mind that botnets are but one facet of the threat. There are a plethora of just-in-time DoSnets built off of the same vulnerabilities. In this case there is no central command and control making mitigation even more challenging. It's fairly easy to run a command on a vulnerable host through the same exploit that will permit one to install a bot. Just-in-time DoSnets are readily built and used in amplification attacks as well. Bots have never been solely a Windows problem. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);