Re: New worm / port 1434?

["Stephen J. Wilcox" <steve () telecomplete co uk>]

On Sat, 25 Jan 2003, Eric Gauthier wrote:

> Ok,
>
> I'm not sure if this helps at all.  Our campus has two primary connections - 
> the main Internet and something called Internet2.  Internet2 has a routing
> table of order 10,000 routes and includes most top-tier research instituations
> in the US (and a few other places).  By 1am this morning (Eastern US time),
> all of our Internet links saturated outbound but we didn't appear to see any 
> noticable increase in our Internet2 bandwidth.  I'm throwing this out there 
> because it may indicate that the destinations for the traffic - though large - 
> aren't completely random.
>
> Has anyone else seen this?


Sources from our customers are in pockets so not a good spread of source but the
destination is -very- random.. I'm not seeing that many packets duplicating the
same destination


Now having said that there is some algorith at work perhaps the same one that
was used in the Codered worm

There is many more hits to the same /16 and same /8 as source with a general
spread over the rest of the IP space

There appears to be significantly more over 128/1 than 0/1 which is odd altho
certain /8s appear to be popular (32, 81, 53, 35, 38)

Steve


> Eric :)
>
> PS: Yep - we're a university and we're a source - big surprise there...  I 
> just filtered out our 200Mbps contribution to this problem in case you're 
> curious...