Re: Code Red Stats

[Alex Butcher <alex () s3 integralis co uk>]

Nicholas Bachmann wrote:

> Hi all-
>
> I think I have found a formula to approximate the number of infected 
> hosts.  My formula is
>
> ([(Number of Infected Hosts * Number CR Queries p/ Day) / Total IPs on 
> the Internet ]^-1) / Average IP Requests p/ Host
>
> So what I would need to know to figure out the approximate number of 
> infected hosts:
> *How many IPs CR can check in a day (Number CR Queries p/ Day)
> *Average Number of times people are checked during a set period, 
> probably 5:00a-5:00p (Average IP Requests p/ Host)
>
> Does anyone see any big flaws in this (I know it isn't perfect) formula 
> that would keep it from being within a reasonable margin of error?


I was thinking along the same lines myself. The tricky bit is

CR-Queries/day; IMHO, this will mainly depend on the response time of the

targeted host.


Having said that, I was observing the complete attack taking 5-10s.

Bearing in mind that the worm spawns 99 scanning threads (right?), I 
reckon a single worm can scan a host in an effective time of 0.1s 
(assuming unlimited outbound bandwidth, which should be reasonable given 
how small (4K) these attacks are). This would give a scan rate of 
10*60*60*24=864000 hosts/day.

I saw 3 or 4 attacks in a 2h 40m time period (i.e. 27-36 scans per IP 
address per day, scaled to 24 hours).


Howzat?

Best Regards,
Alex (not a statistician).
--
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alex@s3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher@ 885BA6CE


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com