Code Red growth stats
Greg A. Woods
woods at weird.com
Thu Aug 2 02:00:38 UTC 2001
[ On Wednesday, August 1, 2001 at 22:35:46 (-0400), Steven M. Bellovin wrote: ]
> Subject: Re: Code Red growth stats
>
> Fascinating; thanks. SANS hasn't updated their plots lately, so I
> can't compare. Anyone else with any data to post? (On the other hand
> -- any chance that the dip recorded at CAIDA is due to the measurement
> problems?)
I've only a /24 to compare with, and only about four active web servers
in that network, but I too saw a lull in scans between 17:47 EDT and
20:10 EDT, however there've been five more since at fairly regular
intervals.
01/Aug/2001:07:47:00 211.100.16.141
01/Aug/2001:11:13:32 dhcp065-025-142-096.columbus.rr.com
01/Aug/2001:11:36:28 211.104.130.97
01/Aug/2001:11:37:48 h216-170-041-250.adsl.navix.net
01/Aug/2001:12:26:46 195.146.34.114
01/Aug/2001:14:22:19 211.116.199.60
01/Aug/2001:15:37:05 a010-0101.appl.splitrock.net
01/Aug/2001:16:30:27 dial-208.51.228.48.northnet.org
01/Aug/2001:17:21:15 211.214.203.235
01/Aug/2001:17:47:33 ip-208-181-104-133.adsl.radiant.net
01/Aug/2001:20:10:17 caerang03.cie.hallym.ac.kr
01/Aug/2001:20:18:59 209.211.131.148
01/Aug/2001:20:40:27 61.163.79.74
01/Aug/2001:20:49:19 nas3-099.ras.mcy.cantv.net
01/Aug/2001:21:03:58 61.151.228.177
(the above in-addr.arpa results are not verified....)
That's still not quite as many as I saw on the first go-around. Since
I've not previously posted anything about the first event here are my
logs from one of my web servers from that time too:
19/Jul/2001:10:37:39 216.79.3.41
19/Jul/2001:11:22:53 209.92.42.120
19/Jul/2001:12:37:11 134.192.24.73
19/Jul/2001:12:43:12 213.255.49.180
19/Jul/2001:12:49:58 205.162.159.96
19/Jul/2001:13:13:45 24.147.51.243
19/Jul/2001:13:49:44 64.132.84.30
19/Jul/2001:14:28:57 199.203.240.11
19/Jul/2001:14:40:26 24.168.204.41
19/Jul/2001:15:18:18 62.161.216.70
19/Jul/2001:15:32:18 136.142.118.80
19/Jul/2001:16:14:37 202.129.210.253
19/Jul/2001:16:15:49 192.38.48.20
19/Jul/2001:16:16:45 216.148.71.91
19/Jul/2001:16:37:12 64.67.218.130
19/Jul/2001:16:39:44 202.102.193.234
19/Jul/2001:16:40:21 64.14.215.217
19/Jul/2001:16:47:19 216.94.148.40
19/Jul/2001:17:18:35 209.217.62.130
19/Jul/2001:18:14:18 66.89.37.10
19/Jul/2001:18:17:22 66.20.182.70
19/Jul/2001:18:38:00 211.250.146.1
19/Jul/2001:18:46:27 213.56.240.94
19/Jul/2001:19:01:13 61.222.36.68
19/Jul/2001:19:09:25 204.254.123.50
19/Jul/2001:19:45:26 24.177.242.76
21/Jul/2001:20:20:43 211.255.252.190
> If it has indeed turned up again, I'm at a loss to explain it. While
> I'm sure there are some IIS servers on home machines, I doubt there are
> that many. But I don't have another explanation to offer.
Home machines being powered on (or connected) in other timezones as
people return home from work/school, etc.?
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods at acm.org> <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>
More information about the NANOG
mailing list