Recently I had notice a whopping 600MB a second http request to china. Not good. It flooded our little 100mb line and killed the firewalls creating 3k new states a second.
The new states were coming from one of the instances in my openstack environment! Awww man what did I screw up? Answer is nothing, the user never changed anything on his default instance and it was what i believe to be auto hacked by a botnet exploiting web apps using default configuration.
What did I do? Luckily its openstack. I shutoff the instance, detached the volume and rebuilt using a clean image. I also altered the rules to discourage this happening again.
When I get time I will be opening this volume and looking at what is going on.
