in the last few months since i most recently cleared out the database, my test network (a defunct /16) has received 3.8M http transactions containing 460K distinct worm bodies sent from 137K source addresses. the top 8, by quantity, are: srcaddr | count | first | last -----------------+--------+---------------------+--------------------- 61.137.107.137 | 300772 | 2002-11-05 13:29:26 | 2002-11-14 03:19:42 210.82.7.205 | 72755 | 2002-11-13 14:12:00 | 2002-11-14 11:23:07 210.12.30.12 | 32450 | 2002-11-01 08:34:09 | 2002-11-01 09:04:10 24.193.82.174 | 31996 | 2002-10-30 11:56:58 | 2002-10-30 13:07:11 131.204.108.181 | 22524 | 2002-11-18 17:33:04 | 2002-11-18 18:05:13 24.76.78.204 | 22305 | 2002-10-30 12:13:39 | 2002-10-30 13:26:52 80.11.57.19 | 11379 | 2002-11-01 09:34:01 | 2002-11-01 10:49:20 63.142.226.235 | 10178 | 2002-11-08 12:51:44 | 2002-11-08 13:42:06 if you see one of your own up there, please put your hands on some lineman's shears and Do The Right Thing.
Which signature database you use to match these or just log the 404's ? Pete ----- Original Message ----- From: "Paul Vixie" <paul@vix.com> To: <nanog@merit.edu> Sent: Monday, November 18, 2002 11:31 PM Subject: some of these are worse than others
in the last few months since i most recently cleared out the database, my test network (a defunct /16) has received 3.8M http transactions containing 460K distinct worm bodies sent from 137K source addresses.
the top 8, by quantity, are:
srcaddr | count | first | last -----------------+--------+---------------------+--------------------- 61.137.107.137 | 300772 | 2002-11-05 13:29:26 | 2002-11-14 03:19:42 210.82.7.205 | 72755 | 2002-11-13 14:12:00 | 2002-11-14 11:23:07 210.12.30.12 | 32450 | 2002-11-01 08:34:09 | 2002-11-01 09:04:10 24.193.82.174 | 31996 | 2002-10-30 11:56:58 | 2002-10-30 13:07:11 131.204.108.181 | 22524 | 2002-11-18 17:33:04 | 2002-11-18 18:05:13 24.76.78.204 | 22305 | 2002-10-30 12:13:39 | 2002-10-30 13:26:52 80.11.57.19 | 11379 | 2002-11-01 09:34:01 | 2002-11-01 10:49:20 63.142.226.235 | 10178 | 2002-11-08 12:51:44 | 2002-11-08 13:42:06
if you see one of your own up there, please put your hands on some lineman's shears and Do The Right Thing.
If you don't mind partitioning yourself, 80.49% (the top 3) of these come from a subset of APNIC space ... Understand Paul, I'm not advocating you partitioning yourself, given what you do. Its just an interesting data point.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Paul Vixie Sent: Monday, November 18, 2002 4:31 PM To: nanog@merit.edu Subject: some of these are worse than others
in the last few months since i most recently cleared out the database, my test network (a defunct /16) has received 3.8M http transactions containing 460K distinct worm bodies sent from 137K source addresses.
the top 8, by quantity, are:
srcaddr | count | first | last -----------------+--------+---------------------+--------------------- 61.137.107.137 | 300772 | 2002-11-05 13:29:26 | 2002-11-14 03:19:42 210.82.7.205 | 72755 | 2002-11-13 14:12:00 | 2002-11-14 11:23:07 210.12.30.12 | 32450 | 2002-11-01 08:34:09 | 2002-11-01 09:04:10 24.193.82.174 | 31996 | 2002-10-30 11:56:58 | 2002-10-30 13:07:11 131.204.108.181 | 22524 | 2002-11-18 17:33:04 | 2002-11-18 18:05:13 24.76.78.204 | 22305 | 2002-10-30 12:13:39 | 2002-10-30 13:26:52 80.11.57.19 | 11379 | 2002-11-01 09:34:01 | 2002-11-01 10:49:20 63.142.226.235 | 10178 | 2002-11-08 12:51:44 | 2002-11-08 13:42:06
if you see one of your own up there, please put your hands on some lineman's shears and Do The Right Thing.
participants (3)
-
Eric Germann
-
Paul Vixie
-
Petri Helenius