Hi, Brian. ] https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html There is a huge increase in FTP scanning as well as the building of warez botnets. The warez scanning is generally for anonymous FTP servers with plentiful bandwidth, copious disk space, and generous write permissions. Yes, the folks behind these activities do test for all three. The warez botnet scanning is generally for Windows hosts vulnerable to a cornucopia of sploits. These machines are then infected with a bot that will join a warez botnet. These warez bots will then respond to the commands issued in the channel. Some of them even issue helpful messages when you join the warez channel (real log snippet): To request a file type: "/msg <A> send <FILE>" Sadly, some malware is more user friendly than commercial software. :p The tools to locate the anonymous FTP servers are automated, though they are not worms. The tools to spread the warez bots can have worm-like behaviours. Now about your flows... It is very possible that you have a server that has been "tagged." This server may be part of a distributed wareznet serving up movies, MP3s, malware, pr0n, and other nasties. If the server(s) now part of the warez network have popular things on them, you will take quite a beating on bandwidth. By the way, several of the warez bots are also flooders, e.g. can be used to packet victims. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);