Full Disclosure mailing list archives
Re: 100 Worms per Second, Courtesy of Telstra
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Sun, 26 Jan 2003 15:21:44 -0600
Pardon my delurk, but this is very strange worm behavior. We are seeing 100 SQL Worms per second from a single IP address on Telstra. This is about 10k times the level of activity we are seeing from any other address.
That is certainly odd.
Anyone here either know anyone at Telstra who can shut this off, or perhaps at least some explanation of why this worm instance would set aside its usual randomish behavior and flood us like this?
There seems to be a major weakness in the scanning pattern of this worm that makes it flood some addresses far more extensively than others. Considering that the entire 'random' generator is just a trivial bit shift of the system timer, it can't be expected to be really 'random' at all. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- 100 Worms per Second, Courtesy of Telstra Karl A. Krueger (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Matthew Murphy (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Mike Tancsa (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Karl A. Krueger (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Roland Postle (Jan 26)