Code Red growth stats

• Previous message (by thread): Code Red growth stats
• Next message (by thread): Code Red growth stats
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ On Wednesday, August 1, 2001 at 22:35:46 (-0400), Steven M. Bellovin wrote: ]
> Subject: Re: Code Red growth stats 
>
> Fascinating; thanks.  SANS hasn't updated their plots lately, so I 
> can't compare.  Anyone else with any data to post?  (On the other hand 
> -- any chance that the dip recorded at CAIDA is due to the measurement 
> problems?)

I've only a /24 to compare with, and only about four active web servers
in that network, but I too saw a lull in scans between 17:47 EDT and
20:10 EDT, however there've been five more since at fairly regular
intervals.

01/Aug/2001:07:47:00   211.100.16.141
01/Aug/2001:11:13:32   dhcp065-025-142-096.columbus.rr.com
01/Aug/2001:11:36:28   211.104.130.97
01/Aug/2001:11:37:48   h216-170-041-250.adsl.navix.net
01/Aug/2001:12:26:46   195.146.34.114
01/Aug/2001:14:22:19   211.116.199.60
01/Aug/2001:15:37:05   a010-0101.appl.splitrock.net
01/Aug/2001:16:30:27   dial-208.51.228.48.northnet.org
01/Aug/2001:17:21:15   211.214.203.235
01/Aug/2001:17:47:33   ip-208-181-104-133.adsl.radiant.net
01/Aug/2001:20:10:17   caerang03.cie.hallym.ac.kr
01/Aug/2001:20:18:59   209.211.131.148
01/Aug/2001:20:40:27   61.163.79.74
01/Aug/2001:20:49:19   nas3-099.ras.mcy.cantv.net
01/Aug/2001:21:03:58   61.151.228.177

(the above in-addr.arpa results are not verified....)

That's still not quite as many as I saw on the first go-around.  Since
I've not previously posted anything about the first event here are my
logs from one of my web servers from that time too:

19/Jul/2001:10:37:39   216.79.3.41
19/Jul/2001:11:22:53   209.92.42.120
19/Jul/2001:12:37:11   134.192.24.73
19/Jul/2001:12:43:12   213.255.49.180
19/Jul/2001:12:49:58   205.162.159.96
19/Jul/2001:13:13:45   24.147.51.243
19/Jul/2001:13:49:44   64.132.84.30
19/Jul/2001:14:28:57   199.203.240.11
19/Jul/2001:14:40:26   24.168.204.41
19/Jul/2001:15:18:18   62.161.216.70
19/Jul/2001:15:32:18   136.142.118.80
19/Jul/2001:16:14:37   202.129.210.253
19/Jul/2001:16:15:49   192.38.48.20
19/Jul/2001:16:16:45   216.148.71.91
19/Jul/2001:16:37:12   64.67.218.130
19/Jul/2001:16:39:44   202.102.193.234
19/Jul/2001:16:40:21   64.14.215.217
19/Jul/2001:16:47:19   216.94.148.40
19/Jul/2001:17:18:35   209.217.62.130
19/Jul/2001:18:14:18   66.89.37.10
19/Jul/2001:18:17:22   66.20.182.70
19/Jul/2001:18:38:00   211.250.146.1
19/Jul/2001:18:46:27   213.56.240.94
19/Jul/2001:19:01:13   61.222.36.68
19/Jul/2001:19:09:25   204.254.123.50
19/Jul/2001:19:45:26   24.177.242.76
21/Jul/2001:20:20:43   211.255.252.190

> If it has indeed turned up again, I'm at a loss to explain it.  While 
> I'm sure there are some IIS servers on home machines, I doubt there are 
> that many.  But I don't have another explanation to offer.

Home machines being powered on (or connected) in other timezones as
people return home from work/school, etc.?

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>

• Previous message (by thread): Code Red growth stats
• Next message (by thread): Code Red growth stats
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]