On Tue, 31 Jul 2001 19:31:01 -0600 (MDT) Alfred Huger
<ah_at_securityfocus.com> wrote:
>
>
> I realize that most of you have taken shelter and are awaiting the
> impending demise of the Internet as we know it. However for those of you
> stalwart bastions of courage who are still manning the ship in the face of
> this clear and present danger, I have a question. Anyone seeing Code Red
> activity yet?
>
> I just took a poll through our sensors in ARIS and see almost no activity
> at least none worth commenting on. Anyone else?
Since 10am local time (2200 UTC) I have been monitoring number of
in bound tcp sessions to port 80 that consist of a single SYN (I
figure the worm should generate lots of these ;-). There was no change
between morning and the hour after midday and a slight rise between 1
and 2 pm, but still well within the bounds of statistical error.
Hmmm... I'll analyse the 2.5 hours data since midday:
90 # total unique source IP address
212.135.14.10. 01 Aug 01 00:10:58 -- 01 Aug 01 01:43:17 # count 3
24.14.144.90. 01 Aug 01 00:08:09 -- 01 Aug 01 00:34:24 # count 2
61.144.143.124. 01 Aug 01 01:48:15 -- 01 Aug 01 02:21:34 # count 2
24.69.55.69. 01 Aug 01 00:50:03 -- 01 Aug 01 02:14:51 # count 2
145.249.35.45. 01 Aug 01 00:26:47 -- 01 Aug 01 00:28:45 # count 2
217.89.69.90. 01 Aug 01 02:05:47 -- 01 Aug 01 02:11:13 # count 2
Times are UTC: first packet seen -- last packet seen.
count is number of local addresses probed.
No real evidence of a resurection there...
Does anyone know what probe rate to expect on a /16 address space from
a infected single address. (I know it will vary with bandwidth
available).
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Aug 01 2001
Intro
