(david moore with help from a bunch of elves) http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif was exponential till about an hour ago, we're not sure if leveling off is due to our monitor load or an actual peak in the data. log-scale version http://www.caida.org/analysis/security/code-red/aug1-live-hosts-log.gif will put on main caida home page later today and update every minute (you'll have to hit reload, and you won't actually notice changes at a minute granularity so please no per-minute cron jobs to reload :) ) note the corresponding graph for 19-20 july: http://www.caida.org/analysis/security/code-red/gifs/cumulative-ts.log.gif no per AS stats for this outbreak yet, also under construction.
At 12:44 PM 8/1/2001, k claffy wrote:
no per AS stats for this outbreak yet, also under construction.
I hadn't seen this behavior before... every 5 minutes, starting at 12:57PM EDT, a host at e0.filt2.knox.tn.ena.net is performing the probe... 12:57:01 -0400 13:01:56 -0400 13:06:53 -0400 13:11:50 -0400 13:16:47 -0400 and now it's stopped. In every previous case, a host has hit the machine I'm looking at one time and then never been heard from again. The possibility exists that this is a firewall of some sort, and multiple machines behind it are probing.... Or possibly multiple instances of CodeRed are running on this machine... These two possibilities seem most likely... but it does bring this interesting thought to mind... has a variant been introduced that tries for half an hour to probe the same host?
participants (2)
-
Dave Stewart -
k claffy