[40138] in North American Network Operators' Group
Re: Code Red growth stats
daemon@ATHENA.MIT.EDU (Daniel Senie)
Thu Aug 2 08:14:25 2001
Message-Id: <5.1.0.14.2.20010802075813.03d66d00@mail.amaranth.net>
Date: Thu, 02 Aug 2001 08:13:44 -0400
To: nanog@nanog.org
From: Daniel Senie <dts@senie.com>
In-Reply-To: <5.1.0.14.2.20010801224100.04b37b58@mail.ntrnet.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 10:43 PM 8/1/01, Dave Stewart wrote:
>At 10:35 PM 8/1/2001, Steven M. Bellovin wrote:
>>If it has indeed turned up again, I'm at a loss to explain it. While
>>I'm sure there are some IIS servers on home machines, I doubt there are
>>that many. But I don't have another explanation to offer.
>
>I'd bet there are way more than we think:
>
>ac96a2b4.ipt.aol.com - - [01/Aug/2001:20:37:10 -0400] "GET
>/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>HTTP/1.0" 400 323 "-" "-"
Indeed. I've seen 1215 probes since the start of August, and a rough glance
shows something like 30% or more are dialups, cable modems and DSL lines.
Better than 50% appear to be addresses without INADDR.
I've written a script that produces a file of the addresses or INADDR names
that appear in the probes to our web servers. We run Apache, and so are
only affected insofar as there's extra load. If there's interest, I could
make the resultant file available for web download, and set it up to run daily.
-----------------------------------------------------------------
Daniel Senie dts@senie.com
Amaranth Networks Inc. http://www.amaranth.com
