[Dshield] 1214 (Kazaa) multiple hits & 80 as well

Lauro, John jlauro at umflint.edu
Fri Jun 21 03:48:25 GMT 2002


Then..... This guy keeps scanning port 80.  The IP is very close to
mine.  Notice that the attacker's ip changes from 165.247.115.148 to
165.247.88.159 and other 165.247.xx.xxx variations.  DO you think it
is the same person?


Probably not the same person, but the same worm.

Some worms (code-red II, etc...) base their random address on their
own address, and weight it in the following order:
Same network/24 very likely
Same network/16
Same network/8
Pure random less likely.

I forget the exact ratios, but you get the idea...

Anyways, this proved to be very effective to worm writers...
spreading much quicker then the first attempts that were just
random.....  Three main reasons:
1. Portion of net the same, more likely machines are closer and thus
faster connections.  This is especially true for /24, etc...
2. If one machine is can be compromised by the worm, then another
machine in the same network is likely to also be...

One less obvious, but I heard reports of:
3. If one machine is infected behind a firewall (ie: a laptop is
infected at home, and then connected to corporate net), it is more
likely to cause an outbreak behind the firewall instead of spending
all it's time attacking outside...





More information about the list mailing list