On Wed, Aug 01, 2001 at 09:28:49PM +0100, Stephen J. Wilcox wrote: On Wed, 1 Aug 2001, Steven M. Bellovin wrote:

I ran a little script on the totals reported by www.incidents.org, calculating the ratio between successive samples. (The latest graph I could find, as of 1615 EDT, ended at 1400 EDT.) There was a period of steady exponential growth in there, but it seems to be tailing off. That's consistent with another report posted here.

Does anyone have any theories as to why its tailing, are the thousands of vulnerable machines being patched all of a sudden? If not then why is traffic decreasing so fast when the worm just keeps searching? same reason diseases tail off when they run out of hosts to infect? also note we learned we should have used a larger bucket, 1 minute is too small since 198,500 unique hosts appeared in two adjacent 1-minute buckets from data this am. don't reckon it's gonna get to the 359,000 level it reached on the 19th, since a lot of folks have patched (though not all, and we're still watching that as well) the news coverage did have some effect. (at least it was on all local news channels in san diego for 2 days.) folks were asking about caida's methodology; it's essentially what i posted last week when david did his first analysis http://www.caida.org/analysis/security/code-red/ the bad news is our monitor-workaround is having problems (loss) so http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif got really noisy a real solution is going to take a bit longer, sorry. sigh, so measurement is harder than it looks. (oh wait, we knew that..) k