In article <10171.223820.2348@avi.netaxs.com> smd wrote: : Fascinating; thanks. SANS hasn't updated their plots lately, so I : can't compare. Anyone else with any data to post? (On the other hand : -- any chance that the dip recorded at CAIDA is due to the measurement : problems?) : If it has indeed turned up again, I'm at a loss to explain it. While : I'm sure there are some IIS servers on home machines, I doubt there are : that many. But I don't have another explanation to offer. : --Steve Bellovin, http://www.research.att.com/~smb Data from Akamai (we are not gathering all data, so this shows size as a trend based on sampling, not absolute #): Time Hosts New Hosts/Hour 11:00 4,782 15:00 25,600 5204.5 15:33 30,921 9674.55 16:29 37,240 6770.36 17:25 43,120 6300.00 18:23 48,885 5963.79 This is ONLY for default.ida and some pieces of "classic code red" byte matching, off of hits to Akamai web servers - not just port 80 scans to unused IP space. We saw almost nothing last night/yesterday. Then today we saw it go exponential, then linear, then slow, then linear. I can't get in to get the last-few-hours data... We've noted 4-5 new worm signatures today, though. Luckily no super-duper-evil ones yet. The security and architecture elves at Akamai are owed the credit, but if I mentioned their names the security weenies would have to kill me... Avi