North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Code Red growth stats

  • From: Avi Freedman
  • Date: Thu Aug 02 00:00:32 2001

In article <[email protected]> smd wrote:

: Fascinating; thanks.  SANS hasn't updated their plots lately, so I 
: can't compare.  Anyone else with any data to post?  (On the other hand 
: -- any chance that the dip recorded at CAIDA is due to the measurement 
: problems?)

: If it has indeed turned up again, I'm at a loss to explain it.  While 
: I'm sure there are some IIS servers on home machines, I doubt there are 
: that many.  But I don't have another explanation to offer.

: 		--Steve Bellovin,

Data from Akamai (we are not gathering all data, so this shows size
as a trend based on sampling, not absolute #):

Time    Hosts   New Hosts/Hour
11:00    4,782
15:00   25,600  5204.5
15:33   30,921  9674.55
16:29   37,240  6770.36
17:25   43,120  6300.00
18:23   48,885  5963.79

This is ONLY for default.ida and some pieces of "classic code red" 
byte matching, off of hits to Akamai web servers - not just port 80 
scans to unused IP space.  

We saw almost nothing last night/yesterday.

Then today we saw it go exponential, then linear, then slow, then linear.
I can't get in to get the last-few-hours data...

We've noted 4-5 new worm signatures today, though.  Luckily no
super-duper-evil ones yet.

The security and architecture elves at Akamai are owed the credit, but
if I mentioned their names the security weenies would have to kill me...