[40084] in North American Network Operators' Group
Re: Code Red growth stats
daemon@ATHENA.MIT.EDU (Dave Stewart)
Wed Aug 1 13:33:52 2001
Message-Id: <5.1.0.14.2.20010801132018.04a8dc68@mail.ntrnet.net>
Date: Wed, 01 Aug 2001 13:32:39 -0400
To: nanog@nanog.org
From: Dave Stewart <dbs@ntrnet.net>
In-Reply-To: <20010801094405.B2083@caida.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 12:44 PM 8/1/2001, k claffy wrote:
>no per AS stats for this outbreak yet,
>also under construction.
I hadn't seen this behavior before... every 5 minutes, starting at 12:57PM
EDT, a host at e0.filt2.knox.tn.ena.net is performing the probe...
12:57:01 -0400
13:01:56 -0400
13:06:53 -0400
13:11:50 -0400
13:16:47 -0400
and now it's stopped.
In every previous case, a host has hit the machine I'm looking at one time
and then never been heard from again.
The possibility exists that this is a firewall of some sort, and multiple
machines behind it are probing....
Or possibly multiple instances of CodeRed are running on this machine...
These two possibilities seem most likely... but it does bring this
interesting thought to mind... has a variant been introduced that tries for
half an hour to probe the same host?
