[ On Wednesday, August 1, 2001 at 22:35:46 (-0400), Steven M. Bellovin wrote: ]
Subject: Re: Code Red growth stats
Fascinating; thanks. SANS hasn't updated their plots lately, so I can't compare. Anyone else with any data to post? (On the other hand -- any chance that the dip recorded at CAIDA is due to the measurement problems?)
I've only a /24 to compare with, and only about four active web servers in that network, but I too saw a lull in scans between 17:47 EDT and 20:10 EDT, however there've been five more since at fairly regular intervals. 01/Aug/2001:07:47:00 211.100.16.141 01/Aug/2001:11:13:32 dhcp065-025-142-096.columbus.rr.com 01/Aug/2001:11:36:28 211.104.130.97 01/Aug/2001:11:37:48 h216-170-041-250.adsl.navix.net 01/Aug/2001:12:26:46 195.146.34.114 01/Aug/2001:14:22:19 211.116.199.60 01/Aug/2001:15:37:05 a010-0101.appl.splitrock.net 01/Aug/2001:16:30:27 dial-208.51.228.48.northnet.org 01/Aug/2001:17:21:15 211.214.203.235 01/Aug/2001:17:47:33 ip-208-181-104-133.adsl.radiant.net 01/Aug/2001:20:10:17 caerang03.cie.hallym.ac.kr 01/Aug/2001:20:18:59 209.211.131.148 01/Aug/2001:20:40:27 61.163.79.74 01/Aug/2001:20:49:19 nas3-099.ras.mcy.cantv.net 01/Aug/2001:21:03:58 61.151.228.177 (the above in-addr.arpa results are not verified....) That's still not quite as many as I saw on the first go-around. Since I've not previously posted anything about the first event here are my logs from one of my web servers from that time too: 19/Jul/2001:10:37:39 216.79.3.41 19/Jul/2001:11:22:53 209.92.42.120 19/Jul/2001:12:37:11 134.192.24.73 19/Jul/2001:12:43:12 213.255.49.180 19/Jul/2001:12:49:58 205.162.159.96 19/Jul/2001:13:13:45 24.147.51.243 19/Jul/2001:13:49:44 64.132.84.30 19/Jul/2001:14:28:57 199.203.240.11 19/Jul/2001:14:40:26 24.168.204.41 19/Jul/2001:15:18:18 62.161.216.70 19/Jul/2001:15:32:18 136.142.118.80 19/Jul/2001:16:14:37 202.129.210.253 19/Jul/2001:16:15:49 192.38.48.20 19/Jul/2001:16:16:45 216.148.71.91 19/Jul/2001:16:37:12 64.67.218.130 19/Jul/2001:16:39:44 202.102.193.234 19/Jul/2001:16:40:21 64.14.215.217 19/Jul/2001:16:47:19 216.94.148.40 19/Jul/2001:17:18:35 209.217.62.130 19/Jul/2001:18:14:18 66.89.37.10 19/Jul/2001:18:17:22 66.20.182.70 19/Jul/2001:18:38:00 211.250.146.1 19/Jul/2001:18:46:27 213.56.240.94 19/Jul/2001:19:01:13 61.222.36.68 19/Jul/2001:19:09:25 204.254.123.50 19/Jul/2001:19:45:26 24.177.242.76 21/Jul/2001:20:20:43 211.255.252.190
If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer.
Home machines being powered on (or connected) in other timezones as people return home from work/school, etc.? -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>