[Dshield] I've got a question about code red...
scottf at uark.edu
Mon Aug 13 03:35:36 GMT 2001
I have a question for you on this one. of those that have attacked more
then say 25 times, How many of them are within the same /16 as you. How
many are in the same /8 as you. I would venture a guess that most all of
those are. If I remember correctly, the CodeRed II virus has affinity for
those in the same network on the class B or Class A level. This is my
best guess to what you are seeing, but I could be wrong on this.
University of Arkanas
On Mon, 13 Aug 2001, Sean Graham wrote:
> Hello all, I have a question.
> I wrote a crazy program that does real-time stats of the Code Red (and
> related) attacks on my W2K IIS server, and I've noticed that there are more
> than 30 people who have attacked more than 50 times. In fact, out of 1557
> unique machines that have attacked me, 1282 have attacked once, 135
> attacked twice, (a bunch more inbetween), 3 have attacked 74 times, and
> there are people who have attacked 75, 76, 78, 87, 91 and 97 times. None
> of these mentioned (above 70 attacks) are in my subnet.
> So my question is this: why would there be the vast majority of machines
> attacking <= 2 times (91%) and yet some machines, not even in my subnet,
> have attacked more than 75 times EACH...? Doesn't this seem a little odd?
> I realize that IP spoofing could be used, and that would reduce the
> recurrances, but it was my understanding that the main virus wasn't that
> smart, and just used a RNG with a 12.5% chance of going outside it's class
> A domain, so... something doesn't add up here.
> check it out if you'd like:
> -- Sean
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
More information about the list