Security Incidents mailing list archives

Re: Nimda mostly infects /8-locally.

From: Bryan Andersen <bryan () visi com>
Date: Tue, 18 Sep 2001 22:40:47 -0500

Thomas Roessler wrote:


It seems that Nimda has some strong locality properties
when spreading.

Evaluating logs on a server which listens on an obscene number of
virtual network interfaces with consecutive IP addresses, all in the
same /24, I'm seeing the following distribution of "classical"
netmasks (/n*8) with respect to the attacking hosts (unique IP
addresses encountered in the logs):

        /16      1
        /8    1127
        /0     242


These numbers are to one IP address only.

    total  outside smaller spaces
---------  ----------------------
/0    158      9
/8    149    133
/16    16     16
/24     0      0

The /24 I'm in is sparcely populated.  

It does seam to be favoring the /16 some over the /8.

At this time 10:40pm CDT (-500) I'm mostly seeing repeats, with 
only a few new ip addresses.




-- 
|  Bryan Andersen   |   bryan () visi com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Nimda Probes Stopped Jason Giglio (Sep 18)
- Re: Nimda Probes Stopped Stuart Staniford (Sep 18)
- Nimda mostly infects /8-locally. Thomas Roessler (Sep 18)
  - Re: Nimda mostly infects /8-locally. Bryan Andersen (Sep 18)
- <Possible follow-ups>
- RE: Nimda Probes Stopped Andrew Blevins (Sep 18)
  - RE: Nimda Probes Stopped Jonathan Rickman (Sep 18)
- Re: Nimda Probes Stopped Stuart Staniford (Sep 18)
- RE: Nimda Probes Stopped Robert Nieuwhof (Sep 19)
- RE: Nimda Probes Stopped Jeff Peterson (Sep 19)