Re: Code Red growth stats

[Jasper Wallace <jasper () ivision co uk>]

On Wed, 1 Aug 2001, Steven M. Bellovin wrote:

> In message <Pine.SOL.3.93.1010801170555.4987V-100000 () acns fsu edu>, Scott Sturs
> a writes:
> > On Wed, 1 Aug 2001, Dave Stewart wrote:
> >
> > > I suspect we'll see it begin to pick up a little bit... it looks like
> > > Billybob is just starting to get home from work and fire up his whizbang
> > > Windows 2000 machine, which he put IIS on so he can share kewl warez and
> > > mp3z with his leet friends...
> >
> > At 1500 EDT I put a counter on one of our commodity Internet connections,
> > looking for port 80 connects to one of our unassigned /24 subnets.  Here
> > are the results so far:
> >
> > 1500-1530: 682
> > 1530-1600: 536
> > 1600-1630: 533
> > 1630-1700: 643
> >
> > Seems to be picking up.
>
> Maybe -- we need more data to be sure.  But -- given that a lot of
> folks have patched systems over the last two weeks -- I suspect it's
> running out of "food".  Look at the graph from the last go-round at
> http://www.cert.org/advisories/CA-2001-23.html -- it leveled off, too.
> (If the Worm is operating on UTC, the "stop" phase would have commenced
> at 2000 EDT.  Even if it ran on local time, Western European machines
> wouldn't quiesce until 1700.  The drop off starts well before that.)

35331 so far here (from 5120 ip's of dead space), but it definatly
seems to be leveling off - graphs and data (time_t, count) here:

http://mostly.pointless.net/~jasper/cr/

-- 
Internet Vision          Internet Consultancy           Tel: 020 7589 4500
60 Albert Court            & Web development            Fax: 020 7589 4522
Prince Consort Road                                   vision () ivision co uk
London SW7 2BE                                   http://www.ivision.co.uk/