Security Incidents mailing list archives
Re: CodeRed Activity
From: Stuart Staniford <stuart () silicondefense com>
Date: Wed, 01 Aug 2001 10:00:31 -0700
I just did a quick fit of the same analytic growth model I used last time to this data that Dave Goldsmith posted to Incidents. Last time around CRv2 had a spread rate in the region of 1.6-1.8 hosts per hour. This time it's around 0.75 hosts per hour (confirming Dave's eyeball estimate). That is, an average infected host is able to find 0.75 new hosts to infect per hour (near the beginning of the infection, before saturation starts to set in). So it's spreading significantly slower this time (though still much faster than CRv1 spread). Assuming it's the CRv2 code again, that suggests that there are roughly 45% as many vulnerable hosts as there were last time. It's going to be as fully saturated as it gets early this afternoon. Stuart. dave.goldsmith () intelsat com wrote:
Included is updated information on probable CodeRed activity seen at my site. The traffic seems to be increasing by about 75% each hour. I will be filling in the table breaking down the probing systems later today. Dave Goldsmith Hour || Total Unique || Private IIS Other Web Non-Web No Date (EST) || Probes Sources || Address Server Server Server Response ============++=================++=========================================== ===== 0731 2000 || 92 17 || 3 8 1 3 2 0731 2100 || 74 20 || 3 13 0 2 2 0731 2200 || 154 45 || 1 25 0 8 11 0731 2300 || 239 73 || 0801 0000 || 345 97 || 0801 0100 || 693 183 || 0801 0200 || 1139 324 || 0801 0300 || 2463 644 || 0801 0400 || 4271 1112 || 0801 0500 || 7327 1950 || 0801 0600 || 13085 3414 || ############################################################ This email message is for the sole use of the intended recipient(s)and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Intelsat, Ltd. and its subsidiaries. ############################################################ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuart () silicondefense com http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- CodeRed Activity dave . goldsmith (Aug 01)
- Re: CodeRed Activity Stuart Staniford (Aug 01)
- Re: CodeRed Activity Ryan Russell (Aug 01)
- Re: CodeRed Activity Stuart Staniford (Aug 01)
- Re: CodeRed Activity Ryan Russell (Aug 01)
- <Possible follow-ups>
- Re: CodeRed Activity Portnoy, Gary (Aug 01)
- Re: CodeRed Activity Stuart Staniford (Aug 01)