[unisog] Code Red growing fast.

Richard Johnson rdump at river.com
Wed Aug 1 20:24:15 GMT 2001

At 12:46 -0600 on 8/1/01, Peter Burkholder wrote:
> Before everyone chimes in with what they're experiencing, I suggest
> you check out
> 	http://www.incidents.org
> The bar chart shows geometric growth since 0000 UTC, with 42000 hosts
> infected in the last hour, and 79000 infected hosts total.  That's as of
> 13:00 EDT.

Beware conflating other hits on port 80 with Code Red worm hits on port 80.
Not all SYNs sent at port 80 are Code Red activity.  Sites that don't
disclose how they're counting the hits are somewhat problematic. :-)

First cut calibration of SYN counting as a measure of Code Red probably
requires using web server and IDS logs to get a ratio of Code Red to other


More information about the unisog mailing list