Security Incidents mailing list archives
Nimda mostly infects /8-locally.
From: Thomas Roessler <roessler () does-not-exist org>
Date: Wed, 19 Sep 2001 02:09:31 +0200
It seems that Nimda has some strong locality properties when spreading. Evaluating logs on a server which listens on an obscene number of virtual network interfaces with consecutive IP addresses, all in the same /24, I'm seeing the following distribution of "classical" netmasks (/n*8) with respect to the attacking hosts (unique IP addresses encountered in the logs):
/16 1 /8 1127 /0 242I don't see any /24s, but that's because there are no vulnerable hosts in that particular class C network.
This means, in particular, that the probability for Nimda to attack a host in the same /8 portion of the IP address space is approximately 5 times the probability to attack a host which is in some entirely "distant" region of the network.
It also seems like there is no special handling of /16 networks in the worm: Out of the 215 distinct /16 prefixes encountered (which do, however, still share the same /8 prefix with the attacked host's IP addresses), 36 make an appearance with only one unique IP address in my logs. The /16 prefix of the attacked host just happens to be one of these.
-- Thomas Roessler http://log.does-not-exist.org/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Nimda Probes Stopped Jason Giglio (Sep 18)
- Re: Nimda Probes Stopped Stuart Staniford (Sep 18)
- Nimda mostly infects /8-locally. Thomas Roessler (Sep 18)
- Re: Nimda mostly infects /8-locally. Bryan Andersen (Sep 18)
- <Possible follow-ups>
- RE: Nimda Probes Stopped Andrew Blevins (Sep 18)
- RE: Nimda Probes Stopped Jonathan Rickman (Sep 18)
- Re: Nimda Probes Stopped Stuart Staniford (Sep 18)
- RE: Nimda Probes Stopped Robert Nieuwhof (Sep 19)
- RE: Nimda Probes Stopped Jeff Peterson (Sep 19)