For the past 2 weeks or so, we were averaging 1,200 probes per hour. As of 8 or so this morning, we started averaging > 25,000 per hour! I've noticed that at the same time, we started getting probes from our provider's space (uniquely 23 addresses there), but not our own. Until this morning, we had *0* probes from inside our provider's space. Maybe this is the next round kicking off, looking for things to infect locally before searching the world again. Rick P.S. - Right now: (looks like it will be a bit over 25k this hour :) [root /usr/local/bin]# checkcodered.bash Code Red Log Checker Beginning Time: 10:00:00 Ending Time: 10:32:42 Number of attacks... 31730 Number of unique addresses... 3344 -----Original Message----- From: Daniel Senie [mailto:dts@senie.com] Sent: Tuesday, September 18, 2001 10:26 AM To: sigma@pair.com; nanog@merit.edu Subject: Re: Worm probes At 09:54 AM 9/18/01, sigma@pair.com wrote:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
Is CodeRed or one of its relatives scheduled to start sweeping again today? We've never seen this level of traffic related to the NT worms. Even though we don't run any NT at all, we still have to suffer :(
First ones appeared today, and so far I see 17650 attempts on just one of my servers. We don't run any Microsoft stuff either, but that doesn't keep our servers from getting hammered... ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
On Tue, Sep 18, 2001 at 10:40:23AM -0400, Smith, Rick wrote:
For the past 2 weeks or so, we were averaging 1,200 probes per hour.
As of 8 or so this morning, we started averaging > 25,000 per hour!
I've noticed that at the same time, we started getting probes from our provider's space (uniquely 23 addresses there), but not our own. Until this morning, we had *0* probes from inside our provider's space.
Maybe this is the next round kicking off, looking for things to infect locally before searching the world again.
Simular here, most probes so far are coming from Speakeasy DSL IPs to my Speakeasy DSL servers. Haven't checked the others yet. So far about 20k probes.
Rick
P.S. - Right now: (looks like it will be a bit over 25k this hour :)
[root /usr/local/bin]# checkcodered.bash Code Red Log Checker Beginning Time: 10:00:00 Ending Time: 10:32:42 Number of attacks... 31730 Number of unique addresses... 3344
-----Original Message----- From: Daniel Senie [mailto:dts@senie.com] Sent: Tuesday, September 18, 2001 10:26 AM To: sigma@pair.com; nanog@merit.edu Subject: Re: Worm probes
At 09:54 AM 9/18/01, sigma@pair.com wrote:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
Is CodeRed or one of its relatives scheduled to start sweeping again today? We've never seen this level of traffic related to the NT worms. Even though we don't run any NT at all, we still have to suffer :(
First ones appeared today, and so far I see 17650 attempts on just one of my servers. We don't run any Microsoft stuff either, but that doesn't keep our servers from getting hammered... ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
-- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
On Tue, Sep 18, 2001 at 10:46:03AM -0700, Ulf Zimmermann wrote:
On Tue, Sep 18, 2001 at 10:40:23AM -0400, Smith, Rick wrote:
For the past 2 weeks or so, we were averaging 1,200 probes per hour.
As of 8 or so this morning, we started averaging > 25,000 per hour!
I've noticed that at the same time, we started getting probes from our provider's space (uniquely 23 addresses there), but not our own. Until this morning, we had *0* probes from inside our provider's space.
Maybe this is the next round kicking off, looking for things to infect locally before searching the world again.
Simular here, most probes so far are coming from Speakeasy DSL IPs to my Speakeasy DSL servers. Haven't checked the others yet. So far about 20k probes.
I think it scans your local /16 I've seen other scans from the /16 that my machines reside in. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
I think it scans your local /16
I've seen other scans from the /16 that my machines reside in.
I believe it also moves up to the /8 level. The overwhelming majority of our scans correspond to the same /8 our netblocks are in, as well as the same /16 blocks. Kevin
participants (4)
-
Jared Mauch
-
sigmaï¼ pair.com
-
Smith, Rick
-
Ulf Zimmermann