[40102] in North American Network Operators' Group
Re: Code Red growth stats
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Aug 1 17:19:55 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: Scott Stursa <stursa@acns.fsu.edu>
Cc: nanog@nanog.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 01 Aug 2001 17:19:19 -0400
Message-Id: <20010801211919.97A057B59@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <Pine.SOL.3.93.1010801170555.4987V-100000@acns.fsu.edu>, Scott Sturs
a writes:
>
>On Wed, 1 Aug 2001, Dave Stewart wrote:
>
>> I suspect we'll see it begin to pick up a little bit... it looks like
>> Billybob is just starting to get home from work and fire up his whizbang
>> Windows 2000 machine, which he put IIS on so he can share kewl warez and
>> mp3z with his leet friends...
>
>At 1500 EDT I put a counter on one of our commodity Internet connections,
>looking for port 80 connects to one of our unassigned /24 subnets. Here
>are the results so far:
>
>1500-1530: 682
>1530-1600: 536
>1600-1630: 533
>1630-1700: 643
>
>Seems to be picking up.
Maybe -- we need more data to be sure. But -- given that a lot of
folks have patched systems over the last two weeks -- I suspect it's
running out of "food". Look at the graph from the last go-round at
http://www.cert.org/advisories/CA-2001-23.html -- it leveled off, too.
(If the Worm is operating on UTC, the "stop" phase would have commenced
at 2000 EDT. Even if it ran on local time, Western European machines
wouldn't quiesce until 1700. The drop off starts well before that.)
--Steve Bellovin, http://www.research.att.com/~smb