[Dshield] I've got a question about code red...

Johannes B. Ullrich jullrich at euclidian.com
Mon Aug 13 11:54:14 GMT 2001

> So my question is this:  why would there be the vast majority of machines
> attacking <= 2 times (91%) and yet some machines, not even in my subnet,
> have attacked more than 75 times EACH...?  Doesn't this seem a little odd?

There are a number of factors that determine how many times your are
attacked by a particular machine. Most importantly, Code Red II prefers to
attack machines close to it. It attacks machines in the same subnet much
more frequently than machines with other IPs.

It also depends on the speed of the connection these machines have
and if they are up all the time.

Another Code Red II specialty: If it finds a machine that appears to run
the Chinese version of Windows, it will scan twice as fast.

jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

More information about the list mailing list