|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Code Red growth stats
On Wednesday, August 1, 2001, at 10:35 , Steven M. Bellovin wrote: I monitored a couple web servers for probes today... out of a good 20 or so probes, only 1 looked like a legitimate server. I don't have the data here to do a complete analysis, but the single largest group of infected machines were behind ADSL. Cable and dialup (!) were also well-represented.If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer. It looks like a lot of servers got patched (given an equal number of average servers and average home connections, I'd expect more probes from the servers due to home connections usually having crippled upstreams), but now we're down mostly home machines, which much of the press coverage said were not a problem. I also noticed probes dropped off suddenly after about 4:30pm EDT (2030 GMT). It went from about 5 per hour to one the rest of the evening. Gratuitous arping dropped off about that time as well. These observations are only valid to about 8pm or so... got bored and went home. -rt
|