Re: Botnet attack? [was: Re: Declining traffic]

To: or-talk@xxxxxxxxxxxxx

Subject: Re: Botnet attack? [was: Re: Declining traffic]

From: Flamsmark <flamsmark@xxxxxxxxx>

Date: Mon, 26 Apr 2010 13:36:17 -0400

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Mon, 26 Apr 2010 13:36:49 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type; bh=gAx0ysWlOm+XqVOhv0An6KPjFcAhKNf7eu7/tXa3z6A=; b=p7eHVknWztisjK9p/VNWhaBvLIYYCEdWMsbpnZotv5d8x1T3cgUeuZVL0Xq/wOyEnD oChlFdI87TP3dv4ZmVULasxhQpvx+cxa55tHBOEktaOFTEEtptIdc0SGXEG0P3JWmpRz hcXNfO0zpRt2oQxlrH3ek0DnwrWGqjIjZnecQ=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=PGoeiFkv9Nr6TLEIC5uXR6QfS01AfC6DcIb/mBHCOrle9UoGeDeK3MXpvIN/eJZ8iw y316+nxXQohy0/Z7JSGXKRsHpWlkR9/hHcmXG0Dz/YyQtZ4+oscEpqBjJ4rK7XJi1Anl nyq3bEgi6jboGoq7opLqBetib+gi32dgnGFsI=

In-reply-to: <4BD59C3E.4060603@xxxxxxxxxxxxx>

References: <4BD193F5.6050906@xxxxxxxxxxxxx> <20100423181657.GZ4366@xxxxxxxxxxxxxx> <4BD59C3E.4060603@xxxxxxxxxxxxx>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

On 26 April 2010 09:59, Timo Schoeler <timo.schoeler@xxxxxxxxxxxxx> wrote:

When running tor, I see

i) CPU cycles being eaten up by tor almost entirely;

ii) my machine experiences things like those:

One is a chinese dialup, the other ones are from a big German ISP
(Deutsche Telekom AG). For me it really seems as there's some kind of
botnet attack going on.

Timo

What makes you think that this is a botnet attack? What are the characteristics of a botnet attack, and how do these logs exhibit them? If there are only a few IP addresses, wouldn't that contraindicate botnet involvement?

On a loosely related note, it would generally be a good idea to mask IP addresses on public mailing lists.