Security Incidents mailing list archives
RE: Worm Attack Rate
From: "Miles Sabin" <msabin () interx com>
Date: Mon, 6 Aug 2001 12:26:15 +0100
aleph1 () securityfocus com wrote,
This worm display locality. Its more likely to attack machines near itself in the IP address space. Since the IP address space is mostly sparse with machines bunched in some areas this is a more effective method of finding other vulnerable machines that uniformly and randomly selecting IP address across all of the IP address space, the method used by the original worm and its variant.
I think there might be another angle on locality which might explain the rate of compromise. Intuitively it seems quite likely that _vulnerable_ machines will be clustered together, for a couple of reasons, * On networks with an IIS host, it's quite likely that any other HTTP servers will also be IIS. * On networks with an unpatched IIS host, it's quite likely that any other IIS instances will also be unpatched. both on the assumption that networks will be fairly uniform, both in terms of the software their hosts are running, and in terms of local security practices. Cheers, Miles -- Miles Sabin InterX Internet Systems Architect 27 Great West Road +44 (0)20 8817 4030 Middx, TW8 9AS, UK msabin () interx com http://www.interx.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Worm Attack Rate aleph1 (Aug 05)
- RE: Worm Attack Rate Miles Sabin (Aug 06)
- Re: Worm Attack Rate Paul Cardon (Aug 06)