Several machines on a resnet that I consult for have started spewing traffic--50Mbits/sec all the way up to line rate. We're working on discoing the affected machines and getting traffic characteristics. Anyone else seeing similar? --Chris
On Thu, 21 Apr 2005, Chris Boyd wrote:
Several machines on a resnet that I consult for have started spewing traffic--50Mbits/sec all the way up to line rate. We're working on discoing the affected machines and getting traffic characteristics.
Why new worm? What makes you think they're not just bots participating in a DDoS? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Are they behind a firewall? Are they using private address space? If not could they have just been owned? Has someone installed an ftp server on them and are using them to distribute warez or more likely movies? Perhaps made them bittorrent servers/clients? Check out Argus... it is a good flow monitoring tool... You can have it put together variable amount of userdata from all the packets and let you get a better idea at what is going on than from just looking at raw netflow data. Peter On Apr 21, 2005, at 9:11 PM, Chris Boyd wrote:
Several machines on a resnet that I consult for have started spewing traffic--50Mbits/sec all the way up to line rate. We're working on discoing the affected machines and getting traffic characteristics.
Anyone else seeing similar?
--Chris
participants (3)
-
Chris Boyd -
Jon Lewis -
Peter John Hill