Greetings.
Another independent ISP operator and I have noticed a pretty significant increase in traffic to and from our broadband (DSL) subscribers since August. It's been a fairly steady uptick, at least in my case, resulting in a doubling of overall average traffic to/from these folks since then.
Have others seen a similar trend? Any thoughts as to what the cause may be? Our best guess a virus/worm, possibly being used as a spam relay or other proxy at this point...
Many thanks,
-- Jared
icmp followed by port 135 connection attempts? nachi or welchia...
flow logs are highly useful in understanding gross behavioral changes in
user usage patterns.
joelja
Traffic at LINX and AMS-IX started to grow again in Juli/August as well
after having slowed down for months. At DE-CIX we see also a bis increase in
traffic since August. No idea what this is. IMHO it's to much traffic for
being virus/worm.
Arnold
Jared B. Reimer wrote:
Greetings.
Another independent ISP operator and I have noticed a pretty significant increase in traffic to and from our broadband (DSL) subscribers since August. It's been a fairly steady uptick, at least in my case, resulting in a doubling of overall average traffic to/from these folks since then.
Have others seen a similar trend? Any thoughts as to what the cause may be? Our best guess a virus/worm, possibly being used as a spam relay or other proxy at this point...
Welchia would generate large amounts of traffic from the subscribers but not really that
much towards them because it sends it�s traffic to random IP prefixes, thus possibility
of hitting local prefixes is not that great. (cannot remember if it had some bias)
Most consumer heavy networks which used to have spare capacity in the DSL
access enjoy instant traffic growth if they or their upstream upgrades their peers,
making more bandwidth available to p2p applications.
And last, not least, zombierunners from certain netblocks probably send instructions to
your users to spew messages around the world advertising their wares.
Just as a side note, we recently announced product to automatically
sandbox and un-sandbox infected machines. Works with dynamic
addresses also.
Pete