[Dshield] I've got a question about code red...
seangra at yahoo.com
Mon Aug 13 00:55:33 GMT 2001
Hello all, I have a question.
I wrote a crazy program that does real-time stats of the Code Red (and
related) attacks on my W2K IIS server, and I've noticed that there are more
than 30 people who have attacked more than 50 times. In fact, out of 1557
unique machines that have attacked me, 1282 have attacked once, 135
attacked twice, (a bunch more inbetween), 3 have attacked 74 times, and
there are people who have attacked 75, 76, 78, 87, 91 and 97 times. None
of these mentioned (above 70 attacks) are in my subnet.
So my question is this: why would there be the vast majority of machines
attacking <= 2 times (91%) and yet some machines, not even in my subnet,
have attacked more than 75 times EACH...? Doesn't this seem a little odd?
I realize that IP spoofing could be used, and that would reduce the
recurrances, but it was my understanding that the main virus wasn't that
smart, and just used a RNG with a 12.5% chance of going outside it's class
A domain, so... something doesn't add up here.
check it out if you'd like:
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
More information about the list