Code Red growth stats
Kevin Houle
kjh at cert.org
Thu Aug 2 13:13:17 UTC 2001
--On Wednesday, August 01, 2001 22:35:46 -0400 "Steven M. Bellovin" <smb at research.att.com> wrote:
> In message <20010801190627.A7553 at caida.org>, k claffy writes:
>
>> albeit crippled caida monitor (we're working on it),
>> it does seem to have reversed slope again:
>> http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif
> If it has indeed turned up again, I'm at a loss to explain it. While
> I'm sure there are some IIS servers on home machines, I doubt there are
> that many. But I don't have another explanation to offer.
For what it's worth, the "wake-up" of previously sleeping worm
threads may be a contributing factor. In lab tests, a wake-up
happens at variable times, measured in hours, after midnight UTC
with all three versions we have tested (the system clock is not
checked during lengthy sleep() calls).
At the moment of wake-up, the rate of scanning (in a vaccuum)
is around 160 hosts/hour. The scanning rate on a host infected
during the scanning time of the month is over 50,000 hosts/hour
(again, in a vaccuum). The difference being the number of threads
actively scanning; it would appear not all threads wake up at
the same time.
So, over time, the rate of scanning and the scope of address
coverage should increase even if the true number of infected
hosts does not. There will be a point where everything that's
going to wake up has woken up, but I don't know where that
point is.
Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20010802/110849e0/attachment.sig>
More information about the NANOG
mailing list