[40127] in North American Network Operators' Group
Re: Code Red growth stats
daemon@ATHENA.MIT.EDU (k claffy)
Thu Aug 2 00:38:16 2001
Date: Wed, 1 Aug 2001 21:37:33 -0700
From: k claffy <kc@ipn.caida.org>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: nanog@nanog.org
Message-ID: <20010801213733.B8381@caida.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010802023546.7B1097B59@berkshire.research.att.com>; from smb@research.att.com on Wed, Aug 01, 2001 at 10:35:46PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Aug 01, 2001 at 10:35:46PM -0400, Steven M. Bellovin wrote:
In message <20010801190627.A7553@caida.org>, k claffy writes:
>albeit crippled caida monitor (we're working on it),
>it does seem to have reversed slope again:
>http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif
Fascinating; thanks. SANS hasn't updated their plots lately, so I
can't compare. Anyone else with any data to post? (On the other hand
-- any chance that the dip recorded at CAIDA is due to the measurement
problems?)
different problems; i don't think so.
graph of patch rate (we haven't plotted tonite's numbers yet)
http://worm-security-survey.caida.org/patching.gif
suggests that the news coverage did have a slight positive
effect on patch rate
also by AS and per country as of 20:00 GMT
http://worm-security-survey.caida.org/AS_summary.txt
If it has indeed turned up again, I'm at a loss to explain it. While
I'm sure there are some IIS servers on home machines, I doubt there are
that many. But I don't have another explanation to offer.
other possibilities
-- college students going home to start up their web servers?
-- windows servers whose MCSE's rebooted them,
and then went home at 5, believing it fixed...
but just getting reinfected? (-sfd suggestion)
we could do the AS_summary for hosts infected _after_
the increase re-started, and see if it's strongly
disproportionate to hosts behind certain type of providers
haven't done yet
