Re: CodeRed Activity

From: Stuart Staniford (stuart@silicondefense.com)
Date: 08/01/01


Message-ID: <3B6835AF.A3C0F1CF@silicondefense.com>
Date: Wed, 01 Aug 2001 10:00:31 -0700
From: Stuart Staniford <stuart@silicondefense.com>
To: dave.goldsmith@intelsat.com
Subject: Re: CodeRed Activity

I just did a quick fit of the same analytic growth model I used last time to
this data that Dave Goldsmith posted to Incidents. Last time around CRv2 had a
spread rate in the region of 1.6-1.8 hosts per hour. This time it's around 0.75
hosts per hour (confirming Dave's eyeball estimate). That is, an average
infected host is able to find 0.75 new hosts to infect per hour (near the
beginning of the infection, before saturation starts to set in). So it's
spreading significantly slower this time (though still much faster than CRv1
spread).

Assuming it's the CRv2 code again, that suggests that there are roughly 45% as
many vulnerable hosts as there were last time. It's going to be as fully
saturated as it gets early this afternoon.

Stuart.

dave.goldsmith@intelsat.com wrote:
>
> Included is updated information on probable CodeRed activity seen at my
> site. The traffic seems to be increasing by about 75% each hour. I will be
> filling in the table breaking down the probing systems later today.
>
> Dave Goldsmith
>
> Hour || Total Unique || Private IIS Other Web Non-Web No
> Date (EST) || Probes Sources || Address Server Server Server
> Response
> ============++=================++===========================================
> =====
> 0731 2000 || 92 17 || 3 8 1
> 3 2
> 0731 2100 || 74 20 || 3 13 0
> 2 2
> 0731 2200 || 154 45 || 1 25 0 8
> 11
> 0731 2300 || 239 73 ||
> 0801 0000 || 345 97 ||
> 0801 0100 || 693 183 ||
> 0801 0200 || 1139 324 ||
> 0801 0300 || 2463 644 ||
> 0801 0400 || 4271 1112 ||
> 0801 0500 || 7327 1950 ||
> 0801 0600 || 13085 3414 ||
>
> ############################################################
> This email message is for the sole use of the intended
> recipient(s)and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and
> destroy all copies of the original message. Any views
> expressed in this message are those of the individual
> sender, except where the sender specifically states them
> to be the views of Intelsat, Ltd. and its subsidiaries.
> ############################################################
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart@silicondefense.com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages