--On Wednesday, August 01, 2001 22:35:46 -0400 "Steven M. Bellovin" <smb@research.att.com> wrote:
In message <20010801190627.A7553@caida.org>, k claffy writes:
albeit crippled caida monitor (we're working on it), it does seem to have reversed slope again: http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif
If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer.
For what it's worth, the "wake-up" of previously sleeping worm threads may be a contributing factor. In lab tests, a wake-up happens at variable times, measured in hours, after midnight UTC with all three versions we have tested (the system clock is not checked during lengthy sleep() calls). At the moment of wake-up, the rate of scanning (in a vaccuum) is around 160 hosts/hour. The scanning rate on a host infected during the scanning time of the month is over 50,000 hosts/hour (again, in a vaccuum). The difference being the number of threads actively scanning; it would appear not all threads wake up at the same time. So, over time, the rate of scanning and the scope of address coverage should increase even if the true number of infected hosts does not. There will be a point where everything that's going to wake up has woken up, but I don't know where that point is. Kevin