Network outage caused by malware

vladimir.sepeljev · ‎12-22-2016

Hi,

Recently we had network outage that was caused by the malware installed in our LAN host (that was brute-forced before that).

Network latency increased from 0.3-0.4 ms to 30-40 ms (100 times higher), packet loss was about 40%.
It was caused by the large number of queued packets (we observed large number of OUTPUT drops on several interfaces) on our Cisco 3560 and 2960 switches. But at the same time the consumed bandwidth (outgoing from malware host) was not big - about 30-40 Mbps.

The question is wheter it were Cisco switches which increased latency and packet loss. And why it happened.

I have such logs:
- netflow logs from the gateway router of compromised host at the time of outage.
- malware scripts (which were making thousands of RDP requests to the hosts across the Internet)
- dump of traffic on the compromised host at the time when scripts are running.

I have also a suspicion that packet loss and latency could be caused by the netflow traffic (as I see a lot of OQD on Cisco 2960 interfaces to which the VMware ESX host is connected where the Netflow logger is located).

So, please help to answer the question: Why such malware scripts with not high bandwidth load could cause network outage?

Thanks. I'll appreciate any help.

Dennis Mink · ‎12-22-2016

Well if you send a lot of packets with a very small payload, that would cause your ports to use a lot of queueing but not actually sending a lot of data. if you send a fraction of packets with very large payloads, you would not require much processing, but your BW utilisation would be way up.

Please remember to rate useful posts, by clicking on the stars below.