[Dshield] Stats on code red....a Taiwan perspective

Ed Greshko Edward.M.Greshko at syntegra.com
Sun Aug 12 03:53:10 GMT 2001


It would seem that the number of attacks is on the decline as people,
hopefully, are patching their systems.  While I only have stats for one
server directly connected to the Internet here in Taiwan I've collected the
following data from my Apache logs.

Code Red Probes per Day (no sorting for duplicate source addresses)

Aug  5   1249
Aug  6   1456
Aug  7   1616
Aug  8   1510
Aug  9   1382
Aug 10    947
Aug 11    869

While I didn't keep acurate stats I followed up on quite a number of source
IP's in "real time".  That is, I monitored the Apache logs and then
connected to the source IP to see what it was running.  In the majority of
cases the source system was not running a configured Web Server.  It would
either answer with "page not found" or the initial setup banner.  Also, a
whois on the majority of the source systems showed them to be dial-up
accounts.  In the case of my local ISP the reverse lookup included the
string "adsl" which would indicate dial-up ADSL.

The impression I get from this is that quite a number of infected systems
are infected without the knowledge that the system even has IIS installed!

Now, since ADSL is running PPPoE it would be "nice" if the ISP could
configure their IDS and authentication systems to determine whose systems
are infected and configure their systems to put per user blocks on HTTP.

In any event the responsible ISP would be monitoring their users for signs
of code red activity and should be taking actions to ensure their users are
made aware of the situation.  The ISP should then followup and make sure
corrective actions are taken.

BTW, at least in the case of Taiwan, the majority of attacks are coming from
within Taiwan as well as from Korea.  Taiwan has a significant ADSL
community while Korea has an extensive broadband (cable) infrastructure.


P.S.  A very cursory scan of networks here in Asia shows about .9 systems
per C-Class subnet to be infected.

More information about the list mailing list