In message <20010801190627.A7553@caida.org>, k claffy writes:
hmm, not sure about that, smb.
albeit crippled caida monitor (we're working on it), it does seem to have reversed slope again: http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif
Fascinating; thanks. SANS hasn't updated their plots lately, so I can't compare. Anyone else with any data to post? (On the other hand -- any chance that the dip recorded at CAIDA is due to the measurement problems?) If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer. --Steve Bellovin, http://www.research.att.com/~smb
[ On Wednesday, August 1, 2001 at 22:35:46 (-0400), Steven M. Bellovin wrote: ]
Subject: Re: Code Red growth stats
Fascinating; thanks. SANS hasn't updated their plots lately, so I can't compare. Anyone else with any data to post? (On the other hand -- any chance that the dip recorded at CAIDA is due to the measurement problems?)
I've only a /24 to compare with, and only about four active web servers in that network, but I too saw a lull in scans between 17:47 EDT and 20:10 EDT, however there've been five more since at fairly regular intervals. 01/Aug/2001:07:47:00 211.100.16.141 01/Aug/2001:11:13:32 dhcp065-025-142-096.columbus.rr.com 01/Aug/2001:11:36:28 211.104.130.97 01/Aug/2001:11:37:48 h216-170-041-250.adsl.navix.net 01/Aug/2001:12:26:46 195.146.34.114 01/Aug/2001:14:22:19 211.116.199.60 01/Aug/2001:15:37:05 a010-0101.appl.splitrock.net 01/Aug/2001:16:30:27 dial-208.51.228.48.northnet.org 01/Aug/2001:17:21:15 211.214.203.235 01/Aug/2001:17:47:33 ip-208-181-104-133.adsl.radiant.net 01/Aug/2001:20:10:17 caerang03.cie.hallym.ac.kr 01/Aug/2001:20:18:59 209.211.131.148 01/Aug/2001:20:40:27 61.163.79.74 01/Aug/2001:20:49:19 nas3-099.ras.mcy.cantv.net 01/Aug/2001:21:03:58 61.151.228.177 (the above in-addr.arpa results are not verified....) That's still not quite as many as I saw on the first go-around. Since I've not previously posted anything about the first event here are my logs from one of my web servers from that time too: 19/Jul/2001:10:37:39 216.79.3.41 19/Jul/2001:11:22:53 209.92.42.120 19/Jul/2001:12:37:11 134.192.24.73 19/Jul/2001:12:43:12 213.255.49.180 19/Jul/2001:12:49:58 205.162.159.96 19/Jul/2001:13:13:45 24.147.51.243 19/Jul/2001:13:49:44 64.132.84.30 19/Jul/2001:14:28:57 199.203.240.11 19/Jul/2001:14:40:26 24.168.204.41 19/Jul/2001:15:18:18 62.161.216.70 19/Jul/2001:15:32:18 136.142.118.80 19/Jul/2001:16:14:37 202.129.210.253 19/Jul/2001:16:15:49 192.38.48.20 19/Jul/2001:16:16:45 216.148.71.91 19/Jul/2001:16:37:12 64.67.218.130 19/Jul/2001:16:39:44 202.102.193.234 19/Jul/2001:16:40:21 64.14.215.217 19/Jul/2001:16:47:19 216.94.148.40 19/Jul/2001:17:18:35 209.217.62.130 19/Jul/2001:18:14:18 66.89.37.10 19/Jul/2001:18:17:22 66.20.182.70 19/Jul/2001:18:38:00 211.250.146.1 19/Jul/2001:18:46:27 213.56.240.94 19/Jul/2001:19:01:13 61.222.36.68 19/Jul/2001:19:09:25 204.254.123.50 19/Jul/2001:19:45:26 24.177.242.76 21/Jul/2001:20:20:43 211.255.252.190
If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer.
Home machines being powered on (or connected) in other timezones as people return home from work/school, etc.? -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
At 10:35 PM 8/1/2001, Steven M. Bellovin wrote:
If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer.
I'd bet there are way more than we think: ac96a2b4.ipt.aol.com - - [01/Aug/2001:20:37:10 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-"
At 10:43 PM 8/1/01, Dave Stewart wrote:
At 10:35 PM 8/1/2001, Steven M. Bellovin wrote:
If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer.
I'd bet there are way more than we think:
ac96a2b4.ipt.aol.com - - [01/Aug/2001:20:37:10 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-"
Indeed. I've seen 1215 probes since the start of August, and a rough glance shows something like 30% or more are dialups, cable modems and DSL lines. Better than 50% appear to be addresses without INADDR. I've written a script that produces a file of the addresses or INADDR names that appear in the probes to our web servers. We run Apache, and so are only affected insofar as there's extra load. If there's interest, I could make the resultant file available for web download, and set it up to run daily. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
On Wednesday, August 1, 2001, at 10:35 , Steven M. Bellovin wrote:
If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer.
I monitored a couple web servers for probes today... out of a good 20 or so probes, only 1 looked like a legitimate server. I don't have the data here to do a complete analysis, but the single largest group of infected machines were behind ADSL. Cable and dialup (!) were also well-represented. It looks like a lot of servers got patched (given an equal number of average servers and average home connections, I'd expect more probes from the servers due to home connections usually having crippled upstreams), but now we're down mostly home machines, which much of the press coverage said were not a problem. I also noticed probes dropped off suddenly after about 4:30pm EDT (2030 GMT). It went from about 5 per hour to one the rest of the evening. Gratuitous arping dropped off about that time as well. These observations are only valid to about 8pm or so... got bored and went home. -rt
On Wed, Aug 01, 2001 at 10:35:46PM -0400, Steven M. Bellovin wrote: In message <20010801190627.A7553@caida.org>, k claffy writes:
albeit crippled caida monitor (we're working on it), it does seem to have reversed slope again: http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif
Fascinating; thanks. SANS hasn't updated their plots lately, so I can't compare. Anyone else with any data to post? (On the other hand -- any chance that the dip recorded at CAIDA is due to the measurement problems?) different problems; i don't think so. graph of patch rate (we haven't plotted tonite's numbers yet) http://worm-security-survey.caida.org/patching.gif suggests that the news coverage did have a slight positive effect on patch rate also by AS and per country as of 20:00 GMT http://worm-security-survey.caida.org/AS_summary.txt If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer. other possibilities -- college students going home to start up their web servers? -- windows servers whose MCSE's rebooted them, and then went home at 5, believing it fixed... but just getting reinfected? (-sfd suggestion) we could do the AS_summary for hosts infected _after_ the increase re-started, and see if it's strongly disproportionate to hosts behind certain type of providers haven't done yet
--On Wednesday, August 01, 2001 22:35:46 -0400 "Steven M. Bellovin" <smb@research.att.com> wrote:
In message <20010801190627.A7553@caida.org>, k claffy writes:
albeit crippled caida monitor (we're working on it), it does seem to have reversed slope again: http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif
If it has indeed turned up again, I'm at a loss to explain it. While I'm sure there are some IIS servers on home machines, I doubt there are that many. But I don't have another explanation to offer.
For what it's worth, the "wake-up" of previously sleeping worm threads may be a contributing factor. In lab tests, a wake-up happens at variable times, measured in hours, after midnight UTC with all three versions we have tested (the system clock is not checked during lengthy sleep() calls). At the moment of wake-up, the rate of scanning (in a vaccuum) is around 160 hosts/hour. The scanning rate on a host infected during the scanning time of the month is over 50,000 hosts/hour (again, in a vaccuum). The difference being the number of threads actively scanning; it would appear not all threads wake up at the same time. So, over time, the rate of scanning and the scope of address coverage should increase even if the true number of infected hosts does not. There will be a point where everything that's going to wake up has woken up, but I don't know where that point is. Kevin
participants (7)
-
Daniel Senie
-
Dave Stewart
-
k claffy
-
Kevin Houle
-
Ryan Tucker
-
Steven M. Bellovin
-
woods@weird.com