[40125] in North American Network Operators' Group
Re: Code Red growth stats
daemon@ATHENA.MIT.EDU (Avi Freedman)
Wed Aug 1 23:58:40 2001
Date: Wed, 1 Aug 2001 23:56:14 -0400
From: Avi Freedman <freedman@freedman.net>
Message-Id: <200108020356.XAA04955@freedman.net>
To: nanog@merit.edu
In-Reply-To: <10171.223820.2348@avi.netaxs.com>
Errors-To: owner-nanog-outgoing@merit.edu
In article <10171.223820.2348@avi.netaxs.com> smd wrote:
: Fascinating; thanks. SANS hasn't updated their plots lately, so I
: can't compare. Anyone else with any data to post? (On the other hand
: -- any chance that the dip recorded at CAIDA is due to the measurement
: problems?)
: If it has indeed turned up again, I'm at a loss to explain it. While
: I'm sure there are some IIS servers on home machines, I doubt there are
: that many. But I don't have another explanation to offer.
: --Steve Bellovin, http://www.research.att.com/~smb
Data from Akamai (we are not gathering all data, so this shows size
as a trend based on sampling, not absolute #):
Time Hosts New Hosts/Hour
11:00 4,782
15:00 25,600 5204.5
15:33 30,921 9674.55
16:29 37,240 6770.36
17:25 43,120 6300.00
18:23 48,885 5963.79
This is ONLY for default.ida and some pieces of "classic code red"
byte matching, off of hits to Akamai web servers - not just port 80
scans to unused IP space.
We saw almost nothing last night/yesterday.
Then today we saw it go exponential, then linear, then slow, then linear.
I can't get in to get the last-few-hours data...
We've noted 4-5 new worm signatures today, though. Luckily no
super-duper-evil ones yet.
The security and architecture elves at Akamai are owed the credit, but
if I mentioned their names the security weenies would have to kill me...
Avi
