North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Code Red growth stats

  • From: Ryan Tucker
  • Date: Wed Aug 01 23:22:52 2001

On Wednesday, August 1, 2001, at 10:35 , Steven M. Bellovin wrote:
If it has indeed turned up again, I'm at a loss to explain it.  While
I'm sure there are some IIS servers on home machines, I doubt there are
that many.  But I don't have another explanation to offer.
I monitored a couple web servers for probes today... out of a good 20 or so probes, only 1 looked like a legitimate server. I don't have the data here to do a complete analysis, but the single largest group of infected machines were behind ADSL. Cable and dialup (!) were also well-represented.

It looks like a lot of servers got patched (given an equal number of average servers and average home connections, I'd expect more probes from the servers due to home connections usually having crippled upstreams), but now we're down mostly home machines, which much of the press coverage said were not a problem.

I also noticed probes dropped off suddenly after about 4:30pm EDT (2030 GMT). It went from about 5 per hour to one the rest of the evening. Gratuitous arping dropped off about that time as well.

These observations are only valid to about 8pm or so... got bored and went home. -rt