[40119] in North American Network Operators' Group
Re: Code Red growth stats
daemon@ATHENA.MIT.EDU (Ryan Tucker)
Wed Aug 1 23:21:02 2001
Message-Id: <200108020317.f723Hcn83403@mail1.netacc.net>
Date: Wed, 1 Aug 2001 23:17:38 -0400
From: Ryan Tucker <rtucker@netacc.net>
Content-Type: text/plain;
format=flowed;
charset=us-ascii
Cc: k claffy <kc@ipn.caida.org>, nanog@nanog.org
To: "Steven M. Bellovin" <smb@research.att.com>
In-Reply-To: <20010802023546.7B1097B59@berkshire.research.att.com>
Mime-Version: 1.0 (Apple Message framework v388)
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
On Wednesday, August 1, 2001, at 10:35 , Steven M. Bellovin wrote:
> If it has indeed turned up again, I'm at a loss to explain it. While
> I'm sure there are some IIS servers on home machines, I doubt there are
> that many. But I don't have another explanation to offer.
I monitored a couple web servers for probes today... out of a good 20 or
so probes, only 1 looked like a legitimate server. I don't have the
data here to do a complete analysis, but the single largest group of
infected machines were behind ADSL. Cable and dialup (!) were also
well-represented.
It looks like a lot of servers got patched (given an equal number of
average servers and average home connections, I'd expect more probes
from the servers due to home connections usually having crippled
upstreams), but now we're down mostly home machines, which much of the
press coverage said were not a problem.
I also noticed probes dropped off suddenly after about 4:30pm EDT (2030
GMT). It went from about 5 per hour to one the rest of the evening.
Gratuitous arping dropped off about that time as well.
These observations are only valid to about 8pm or so... got bored and
went home. -rt
