Snort mailing list archives
Re: code red warning
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Fri, 12 Oct 2001 11:04:32 -0700 (PDT)
On Fri, 12 Oct 2001, Paul Millar wrote:
I'm getting regular attacks from Code Red which seems to be originating from the 213.123.x.x block of IP addresses - all of these are coming from btopenworld and btinternet users.
I believe that Code Red II has an affinity for ones local subnet, so that if you are on 24.0.0.0/8 you see lots of traffic from 24.0.0.0/8 and so on. On 142.90/16 we see lots from 142.0.0.0/8; see http://andrew.triumf.ca/codered/tcp.2001090522.3.gif We have seen over 2.5 million distinct source addresses since July, see http://andrew.triumf.ca/codered/build.log.png (log base e) I spoke to someone at one our our most persistant attacking ISPs and they basically said they do triage and contacting dialup users who have less bandwidth and less capacity to do damage is at the bottom of the list, but that they will get to it eventually. Some commentary I read in a network ezine suggested that Microsoft's careless default install of IIS may have polluted port 80 permanently. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- CODE RED WARNING Paul Millar (Oct 11)
- <Possible follow-ups>
- code red warning Paul Millar (Oct 11)
- Re: code red warning Andrew Daviel (Oct 12)