[39679] in North American Network Operators' Group
Re: Code Red
daemon@ATHENA.MIT.EDU (lucifer@lightbearer.com)
Thu Jul 19 23:41:03 2001
Message-ID: <20010720034012.24134.qmail@prophecy.lightbearer.com>
From: lucifer@lightbearer.com
In-Reply-To: <5.1.0.14.2.20010719232346.04f38128@mail.ntrnet.net> from Dave Stewart
at "Jul 19, 2001 11:31:58 pm"
To: Dave Stewart <dbs@ntrnet.net>
Date: Thu, 19 Jul 2001 20:40:12 -0700 (PDT)
Cc: nanog@merit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Dave Stewart wrote:
>
> At 11:12 PM 7/19/2001, lucifer@lightbearer.com wrote:
> >Reports from our monitoring systems saw the CPU usage jump by somewhere
> >between 150-200% for our core routers today; our current theory is that
>
> Web servers that were hit beginning this morning at 11:26:41 EDT have not
> seen another attempt since 19:49:53.
>
> I'm wondering if this because it was coming up on 00:00:00 GMT 20-July-2001.
>
> According to the PC-Cillin write up, the 100-thread scan only takes place
> if the system date is less than 20, but if it's 20-28, it launches it's DOS
> attack at www1.whitehouse.gov
>
> Does anybody really know yet what payloads this thing is carrying?
That would roughly correspond with the dropoff in CPU usage, here. Not
proof, but... reasonably strong circumstantial. I guess we'll see for
sure tomorrow, depending on how the traffic stats look.
--
***************************************************************************
Joel Baker System Administrator - lightbearer.com
lucifer@lightbearer.com http://www.lightbearer.com/~lucifer
