Which signature database you use to match these or just log the 404's ? Pete ----- Original Message ----- From: "Paul Vixie" <paul@vix.com> To: <nanog@merit.edu> Sent: Monday, November 18, 2002 11:31 PM Subject: some of these are worse than others
in the last few months since i most recently cleared out the database, my test network (a defunct /16) has received 3.8M http transactions containing 460K distinct worm bodies sent from 137K source addresses.
the top 8, by quantity, are:
srcaddr | count | first | last -----------------+--------+---------------------+--------------------- 61.137.107.137 | 300772 | 2002-11-05 13:29:26 | 2002-11-14 03:19:42 210.82.7.205 | 72755 | 2002-11-13 14:12:00 | 2002-11-14 11:23:07 210.12.30.12 | 32450 | 2002-11-01 08:34:09 | 2002-11-01 09:04:10 24.193.82.174 | 31996 | 2002-10-30 11:56:58 | 2002-10-30 13:07:11 131.204.108.181 | 22524 | 2002-11-18 17:33:04 | 2002-11-18 18:05:13 24.76.78.204 | 22305 | 2002-10-30 12:13:39 | 2002-10-30 13:26:52 80.11.57.19 | 11379 | 2002-11-01 09:34:01 | 2002-11-01 10:49:20 63.142.226.235 | 10178 | 2002-11-08 12:51:44 | 2002-11-08 13:42:06
if you see one of your own up there, please put your hands on some lineman's shears and Do The Right Thing.