Security Incidents mailing list archives
RE: CRv2 multiple scans from same source IP
From: Tim Hollebeek <thollebeek () cigital com>
Date: Mon, 6 Aug 2001 16:19:47 -0400
NOW: CodeRedII (this name is easily mistaken with CRv2, soi would supposeanother name: i stared calling it ida_root since my firstanalysis on 5thaug, 7:34 GMT) this worm alway only infects one host _once_. it checks fordouble infection.it could generate the same ip address again in it's PRNGbut the chancethis happening is near 0.you would think it should be near 0, but unless im mistaken this should be CR II correct?
Why should it be near zero? CRII spends half it's time attacking it's own subnet: < 65535 ips. After only 256 attacks, any infected host has likely already has hit one machine twice (birthday paradox). And a typical attacker has hundreds of threads running ...
From my logs:
(the first line means one machine has attacked me 88 times, a second 25 times, a third 19 times, two distinct machines have made 18 attacks, and another two have made 16, ... the duplication rate is quite high for those of us in "densely vulnerable" subnets) number of attacks number of ips 88 1 X 25 1 X 19 1 X 18 2 XX 17 0 16 2 XX 15 0 14 1 X 13 1 X 12 6 XXXXXX 11 0 10 4 XXXX 9 3 XXX 8 2 XX 7 1 X 6 4 XXXX 5 6 XXXXXX 4 8 XXXXXXXX 3 9 XXXXXXXXX 2 7 XXXXXXX 1 8 XXXXXXXX ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: CRv2 multiple scans from same source IP, (continued)
- Re: CRv2 multiple scans from same source IP Paul Gear (Aug 06)
- Re: CRv2 multiple scans from same source IP Valdis . Kletnieks (Aug 05)
- RE: CRv2 multiple scans from same source IP robh (Aug 05)
- Re: CRv2 multiple scans from same source IP corecode (Aug 06)
- Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
- RE: CRv2 multiple scans from same source IP Andrew Cruse (Aug 06)
- Re: CRv2 multiple scans from same source IP Ryan Russell (Aug 06)
- Re: CRv2 multiple scans from same source IP Andy Berkheimer (Aug 06)
- Re: CRv2 multiple scans from same source IP corecode (Aug 07)
- Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
- Re: CRv2 multiple scans from same source IP Bryan Andersen (Aug 06)
- RE: CRv2 multiple scans from same source IP Tim Hollebeek (Aug 06)
- RE: CRv2 multiple scans from same source IP corecode (Aug 06)