Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

CodeRed Traffic Stats

From: dave.goldsmith () intelsat com
Date: Wed, 1 Aug 2001 15:38:04 -0400 
Included is updated information on probable CodeRed activity seen at my
site. 

The data used for this analysis comes from a Shadow IDs sensor located in
front of the firewall.  As such, all that is seen are the initial SYN
packets. The middle series of columns shows how many scans were seen during
the hour and how many unique sources those scans came from as well as the
ratio between the current and previous hour.

The series of columns to the right shows what I learned about the system
that the probe came from. I'm using nmap to see if there is a host that
responds at the supposed source address.  If so, I then use wget to get
information about what web server (or other software) is running on port 80.
Systems that do not respond and RFC 1918 source addresses are lumped
together under 'No response'. Virtually all of the IIS systems that have
probed my site are running IIS 5.0.

Assumptions:
Traffic coming from systems running IIS4/5 are probably infected with
CodeRed.
Non-IIS web server source addresses may be spoofed.
Non-web server source addresses are probably spoofed.
No response source addresses are probably spoofed.

Due to hardware problems, I have incomplete data for the 0900 EST hour
today.

Up until about 0800 EST this morning, traffic seemed to be increasing by
about 75% each hour. Since then, the hourly increase appears to be
shrinking. 

Dave Goldsmith
                                                    Other   Non-
        Hour    ||    Probes          Sources  || IIS   Web     Web     No
Date    (EST)   || Total Growth  Total  Growth || Srvr  Srvr    Srvr
Response
============++=============================++=============================
0731    2000  || 92     ----    17     ----  || 8     1       3     5
0731    2100    || 74       0.80    20     1.18  || 13    0       2     5
0731    2200    || 154    2.08    45     2.25  || 25    0       8     12
0731    2300    || 239    1.55    73     1.62  || 26    1       19    27
0801    0000    || 345    1.44    97     1.33  || 34    0       17    46
0801    0100    || 693    2.01    183    1.89  || 78    2       47    56
0801    0200    || 1139   1.64    324    1.77  ||
0801    0300    || 2463   2.16    644    1.99  ||
0801    0400    || 4271   1.73    1112   1.73  ||
0801    0500    || 7327   1.72    1950   1.75  ||
0801    0600    || 13088  1.79    3415   1.75  ||
0801    0700    || 22787  1.74    5897   1.73  ||
0801    0800    || 38556  1.69    9868   1.67  ||
0801    0900    || 15005  ----    4598   ----  ||
0801    1000    || 101859 ----    25893  ----  ||
0801    1100    || 145874 1.43    36691  1.42  ||
0801    1200    || 186622 1.28    46174  1.26  ||
0801    1300    || 214739 1.15    52786  1.14  ||

############################################################
This email message is for the sole use of the intended
recipient(s)and may contain confidential and privileged
information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended 
recipient, please contact the sender by reply email and 
destroy all copies of the original message.  Any views 
expressed in this message are those of the individual 
sender, except where the sender specifically states them 
to be the views of Intelsat, Ltd. and its subsidiaries.
############################################################

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: