Re: Code Red growth stats

[Kevin Houle <kjh () cert org>]

--On Wednesday, August 01, 2001 22:35:46 -0400 "Steven M. Bellovin" <smb () research att com> wrote:

> In message <20010801190627.A7553 () caida org>, k claffy writes:
>
> > albeit crippled caida monitor (we're working on it),
> > it does seem to have reversed slope again:
> > http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif

> If it has indeed turned up again, I'm at a loss to explain it.  While
> I'm sure there are some IIS servers on home machines, I doubt there are
> that many.  But I don't have another explanation to offer.

For what it's worth, the "wake-up" of previously sleeping worm
threads may be a contributing factor. In lab tests, a wake-up
happens at variable times, measured in hours, after midnight UTC
with all three versions we have tested (the system clock is not
checked during lengthy sleep() calls).

At the moment of wake-up, the rate of scanning (in a vaccuum)
is around 160 hosts/hour. The scanning rate on a host infected
during the scanning time of the month is over 50,000 hosts/hour
(again, in a vaccuum). The difference being the number of threads
actively scanning; it would appear not all threads wake up at
the same time.

So, over time, the rate of scanning and the scope of address
coverage should increase even if the true number of infected
hosts does not. There will be a point where everything that's
going to wake up has woken up, but I don't know where that
point is.

Kevin

Attachment: _bin
Description: