[40141] in North American Network Operators' Group
Re: Code Red growth stats
daemon@ATHENA.MIT.EDU (Kevin Houle)
Thu Aug 2 09:13:53 2001
Date: Thu, 02 Aug 2001 09:13:17 -0400
From: Kevin Houle <kjh@cert.org>
To: "Steven M. Bellovin" <smb@research.att.com>,
k claffy <kc@ipn.caida.org>
Cc: nanog@nanog.org
Message-ID: <11010000.996757997@corydoras.blue.cert.org>
In-Reply-To: <20010802023546.7B1097B59@berkshire.research.att.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="==========1815559384=========="
Errors-To: owner-nanog-outgoing@merit.edu
--==========1815559384==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
--On Wednesday, August 01, 2001 22:35:46 -0400 "Steven M. Bellovin" =
<smb@research.att.com> wrote:
> In message <20010801190627.A7553@caida.org>, k claffy writes:
>
>> albeit crippled caida monitor (we're working on it),
>> it does seem to have reversed slope again:
>> http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif
> If it has indeed turned up again, I'm at a loss to explain it. While
> I'm sure there are some IIS servers on home machines, I doubt there are
> that many. But I don't have another explanation to offer.
For what it's worth, the "wake-up" of previously sleeping worm
threads may be a contributing factor. In lab tests, a wake-up
happens at variable times, measured in hours, after midnight UTC
with all three versions we have tested (the system clock is not
checked during lengthy sleep() calls).
At the moment of wake-up, the rate of scanning (in a vaccuum)
is around 160 hosts/hour. The scanning rate on a host infected
during the scanning time of the month is over 50,000 hosts/hour
(again, in a vaccuum). The difference being the number of threads
actively scanning; it would appear not all threads wake up at
the same time.
So, over time, the rate of scanning and the scope of address
coverage should increase even if the true number of infected
hosts does not. There will be a point where everything that's
going to wake up has woken up, but I don't know where that
point is.
Kevin
--==========1815559384==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7aVHyu/NTC+XTbEkRAp//AKDHF4z+b40PzzG9HYu8d1h7LYD1sgCg+7Qw
d4hCqdcxjdW/bCD3tFodzFk=
=2p/l
-----END PGP SIGNATURE-----
--==========1815559384==========--
