North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Code Red growth stats

  • From: k claffy
  • Date: Wed Aug 01 17:29:01 2001

On Wed, Aug 01, 2001 at 09:28:49PM +0100, Stephen J. Wilcox wrote:
  On Wed, 1 Aug 2001, Steven M. Bellovin wrote:
  > I ran a little script on the totals reported by, 
  > calculating the ratio between successive samples.  (The latest graph I 
  > could find, as of 1615 EDT, ended at 1400 EDT.)  There was a period of 
  > steady exponential growth in there, but it seems to be tailing off.  
  > That's consistent with another report posted here.
  Does anyone have any theories as to why its tailing, are the thousands of
  vulnerable machines being patched all of a sudden? If not then why is
  traffic decreasing so fast when the worm just keeps searching?
same reason diseases tail off when they run
out of hosts to infect?
also note we learned we should have used a larger bucket,
1 minute is too small since 198,500 unique hosts appeared 
in two adjacent 1-minute buckets from data this am.

don't reckon it's gonna get to the 359,000 level
it reached on the 19th, since a lot of folks have patched
(though not all, and we're still watching that as well)

the news coverage did have some effect.
(at least it was on all local news channels 
in san diego for 2 days.)

folks were asking about caida's methodology; 
it's essentially what i posted last week when 
david did his first analysis

the bad news is our monitor-workaround is having problems (loss) so
got really noisy 

a real solution is going to take a bit longer,

sigh, so measurement is harder than it looks.

(oh wait, we knew that..)