While they don't say, the "number of infected hosts" graph makes me assume that they're counting unique IP addresses that tried to hit them. As I said, my numbers are consistent with others posted here. And I've gotten private mail about another, similar observation -- Code Red, Round 2, appears to have peaked a few hours ago. --Steve Bellovin, http://www.research.att.com/~smb hmm, not sure about that, smb. albeit crippled caida monitor (we're working on it), it does seem to have reversed slope again: http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif bunch of fascinating comparative data too, like the number of internal addresses that were infected during each attaack: Code-Red infected hosts with reserved IP addresses (attack 1) 10.0.0.0/8: 203 172.16.0.0/12 70 192.168.0.0/16 177 Code-Red infected hosts with reserved IP addresses (attack 2) 10.0.0.0/8: 0 172.16.0.0/12 6 192.168.0.0/16 0 (nevermind that we shouldn't see such addresses in the first place, we all know that's a myth -- but whoever is using them either fixed their nat configs this time or patched..) about .5GB/hour of data, we gonna be outta disk by morning, wow, we've hit every measurement snag possible today, elves are all beyond exhausted... per-AS stats still processing, haven't started a geographic analysis of this attack yet (we'd like to see which states/countries had highest patch rate, not that geography matters in the least, that much has been demonstrated....) k