[Dshield] I've got a question about code red...

Sean Graham seangra at yahoo.com
Mon Aug 13 00:55:33 GMT 2001

Hello all, I have a question.

I wrote a crazy program that does real-time stats of the Code Red (and 
related) attacks on my W2K IIS server, and I've noticed that there are more 
than 30 people who have attacked more than 50 times.  In fact, out of 1557 
unique machines that have attacked me, 1282 have attacked once, 135 
attacked twice, (a bunch more inbetween), 3 have attacked 74 times, and 
there are people who have attacked 75, 76, 78, 87, 91 and 97 times.  None 
of these mentioned (above 70 attacks) are in my subnet.

So my question is this:  why would there be the vast majority of machines 
attacking <= 2 times (91%) and yet some machines, not even in my subnet, 
have attacked more than 75 times EACH...?  Doesn't this seem a little odd?

I realize that IP spoofing could be used, and that would reduce the 
recurrances, but it was my understanding that the main virus wasn't that 
smart, and just used a RNG with a 12.5% chance of going outside it's class 
A domain, so... something doesn't add up here.

check it out if you'd like:



-- Sean

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the list mailing list