All, We noticed at around midnight for a brief period of time and around 6AM EST for an extended period that several hosted customer servers (4 completely different customers) launched quite a campaign doing 100Mbps during these times (on 100Mbps ports). The thing I find 'suspicious' is that all of the machines connected Interfaces said they were sending out 200Mbps (on 100Mbps links) and that they all had the same exact traffic profile (MRTG, etc). 5 minute input rate 213353000 bits/sec, 18516 packets/sec 5 minute output rate 583000 bits/sec, 855 packets/sec Anyone else see this or am I just very lucky? thanks, -Drew
On Fri, 19 Feb 2010, Drew Weaver wrote:
All,
We noticed at around midnight for a brief period of time and around 6AM EST for an extended period that several hosted customer servers (4 completely different customers) launched quite a campaign doing 100Mbps during these times (on 100Mbps ports).
The thing I find 'suspicious' is that all of the machines connected Interfaces said they were sending out 200Mbps (on 100Mbps links) and that they all had the same exact traffic profile (MRTG, etc).
5 minute input rate 213353000 bits/sec, 18516 packets/sec 5 minute output rate 583000 bits/sec, 855 packets/sec
If these "100Mbps ports" are 100BaseT ethernet, and your switch(es) reported them receiving 213353000 bits/sec, I'd be more suspicious of cisco counter bugs than a new botnet. 100BaseT can't do that. Cisco has a long history of writing code that can't count properly. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Sorry, the point was that MRTG and other metrics also showed that they were doing 100Mbps, and I am well aware of counter bugs in Cisco's IOS but it has never been that out of whack (on several different switches) before, also the fact that all of these hosts are Windows 2003 and had the exact same SNMP metrics is kind of suspicious to me, but maybe I'm wrong. -----Original Message----- From: Jon Lewis [mailto:jlewis@lewis.org] Sent: Friday, February 19, 2010 10:28 AM To: Drew Weaver Cc: 'nanog@nanog.org' Subject: Re: New botnet launch? On Fri, 19 Feb 2010, Drew Weaver wrote:
All,
We noticed at around midnight for a brief period of time and around 6AM EST for an extended period that several hosted customer servers (4 completely different customers) launched quite a campaign doing 100Mbps during these times (on 100Mbps ports).
The thing I find 'suspicious' is that all of the machines connected Interfaces said they were sending out 200Mbps (on 100Mbps links) and that they all had the same exact traffic profile (MRTG, etc).
5 minute input rate 213353000 bits/sec, 18516 packets/sec 5 minute output rate 583000 bits/sec, 855 packets/sec
If these "100Mbps ports" are 100BaseT ethernet, and your switch(es) reported them receiving 213353000 bits/sec, I'd be more suspicious of cisco counter bugs than a new botnet. 100BaseT can't do that. Cisco has a long history of writing code that can't count properly. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (2)
-
Drew Weaver
-
Jon Lewis