In message <Pine.SOL.3.93.1010801170555.4987V-100000@acns.fsu.edu>, Scott Sturs a writes:
On Wed, 1 Aug 2001, Dave Stewart wrote:
I suspect we'll see it begin to pick up a little bit... it looks like Billybob is just starting to get home from work and fire up his whizbang Windows 2000 machine, which he put IIS on so he can share kewl warez and mp3z with his leet friends...
At 1500 EDT I put a counter on one of our commodity Internet connections, looking for port 80 connects to one of our unassigned /24 subnets. Here are the results so far:
1500-1530: 682 1530-1600: 536 1600-1630: 533 1630-1700: 643
Seems to be picking up.
Maybe -- we need more data to be sure. But -- given that a lot of folks have patched systems over the last two weeks -- I suspect it's running out of "food". Look at the graph from the last go-round at http://www.cert.org/advisories/CA-2001-23.html -- it leveled off, too. (If the Worm is operating on UTC, the "stop" phase would have commenced at 2000 EDT. Even if it ran on local time, Western European machines wouldn't quiesce until 1700. The drop off starts well before that.) --Steve Bellovin, http://www.research.att.com/~smb
On Wed, 1 Aug 2001, Steven M. Bellovin wrote:
In message <Pine.SOL.3.93.1010801170555.4987V-100000@acns.fsu.edu>, Scott Sturs a writes:
On Wed, 1 Aug 2001, Dave Stewart wrote:
I suspect we'll see it begin to pick up a little bit... it looks like Billybob is just starting to get home from work and fire up his whizbang Windows 2000 machine, which he put IIS on so he can share kewl warez and mp3z with his leet friends...
At 1500 EDT I put a counter on one of our commodity Internet connections, looking for port 80 connects to one of our unassigned /24 subnets. Here are the results so far:
1500-1530: 682 1530-1600: 536 1600-1630: 533 1630-1700: 643
Seems to be picking up.
Maybe -- we need more data to be sure. But -- given that a lot of folks have patched systems over the last two weeks -- I suspect it's running out of "food". Look at the graph from the last go-round at http://www.cert.org/advisories/CA-2001-23.html -- it leveled off, too. (If the Worm is operating on UTC, the "stop" phase would have commenced at 2000 EDT. Even if it ran on local time, Western European machines wouldn't quiesce until 1700. The drop off starts well before that.)
35331 so far here (from 5120 ip's of dead space), but it definatly seems to be leveling off - graphs and data (time_t, count) here: http://mostly.pointless.net/~jasper/cr/ -- Internet Vision Internet Consultancy Tel: 020 7589 4500 60 Albert Court & Web development Fax: 020 7589 4522 Prince Consort Road vision@ivision.co.uk London SW7 2BE http://www.ivision.co.uk/
* Jasper Wallace <jasper@ivision.co.uk> [010801 16:37]:
On Wed, 1 Aug 2001, Steven M. Bellovin wrote:
In message <Pine.SOL.3.93.1010801170555.4987V-100000@acns.fsu.edu>, Scott Sturs a writes:
On Wed, 1 Aug 2001, Dave Stewart wrote:
I suspect we'll see it begin to pick up a little bit... it looks like Billybob is just starting to get home from work and fire up his whizbang Windows 2000 machine, which he put IIS on so he can share kewl warez and mp3z with his leet friends...
At 1500 EDT I put a counter on one of our commodity Internet connections, looking for port 80 connects to one of our unassigned /24 subnets. Here are the results so far:
1500-1530: 682 1530-1600: 536 1600-1630: 533 1630-1700: 643
Seems to be picking up.
Maybe -- we need more data to be sure. But -- given that a lot of folks have patched systems over the last two weeks -- I suspect it's running out of "food". Look at the graph from the last go-round at http://www.cert.org/advisories/CA-2001-23.html -- it leveled off, too. (If the Worm is operating on UTC, the "stop" phase would have commenced at 2000 EDT. Even if it ran on local time, Western European machines wouldn't quiesce until 1700. The drop off starts well before that.)
35331 so far here (from 5120 ip's of dead space), but it definatly seems to be leveling off - graphs and data (time_t, count) here:
I've got 59448 from a /18's worth of assigned/unallocated space, just since 17:30 or so CDT (UTC -0500). -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
participants (3)
-
Jasper Wallace
-
Larry Rosenman
-
Steven M. Bellovin