Code Red growth stats

Steve_Bellovin · August 1, 2001, 8:18pm

I

I ran a little script on the totals reported by www.incidents.org,
calculating the ratio between successive samples. (The latest graph I
could find, as of 1615 EDT, ended at 1400 EDT.) There was a period of
steady exponential growth in there, but it seems to be tailing off.
That's consistent with another report posted here.

2.06579
1.6051
1.96429
1.80404
1.78163
1.81081
1.66331
1.67091
1.6844
1.63127
1.4773
1.29124
1.15538

--Steve Bellovin, error

Stephen_J_Wilcox · August 1, 2001, 8:28pm

Does anyone have any theories as to why its tailing, are the thousands of
vulnerable machines being patched all of a sudden? If not then why is
traffic decreasing so fast when the worm just keeps searching?

Steve

Dave_Stewart1 · August 1, 2001, 8:42pm

I suspect we'll see it begin to pick up a little bit... it looks like Billybob is just starting to get home from work and fire up his whizbang Windows 2000 machine, which he put IIS on so he can share kewl warez and mp3z with his leet friends...

I'm seeing more probes from Roadrunner and @Home hosts in the last little while.

michael2 · August 1, 2001, 8:50pm

Hello,

Over the course of the last 1.5 hours some hits from @home but most all
others are not US while before most were within the US.

Michael...

Scott_Stursa · August 1, 2001, 9:08pm

At 1500 EDT I put a counter on one of our commodity Internet connections,
looking for port 80 connects to one of our unassigned /24 subnets. Here
are the results so far:

1500-1530: 682
1530-1600: 536
1600-1630: 533
1630-1700: 643

Seems to be picking up.

- SLS

Joe_Shaw · August 1, 2001, 9:08pm

I have experienced the same thing with the machines I've been responsible
for. @Home, Sprintbroadbanddirect, and a few other residential services
have made up the bulk of scanners in my log files.

Regards,

k_claffy1 · August 1, 2001, 9:26pm

Does anyone have any theories as to why its tailing, are the thousands of
  vulnerable machines being patched all of a sudden? If not then why is
  traffic decreasing so fast when the worm just keeps searching?

same reason diseases tail off when they run
out of hosts to infect?
also note we learned we should have used a larger bucket,
1 minute is too small since 198,500 unique hosts appeared
in two adjacent 1-minute buckets from data this am.

don't reckon it's gonna get to the 359,000 level
it reached on the 19th, since a lot of folks have patched
(though not all, and we're still watching that as well)

the news coverage did have some effect.
(at least it was on all local news channels
in san diego for 2 days.)

folks were asking about caida's methodology;
it's essentially what i posted last week when
david did his first analysis
http://www.caida.org/analysis/security/code-red/

the bad news is our monitor-workaround is having problems (loss) so
http://www.caida.org/analysis/security/code-red/aug1-live-hosts.gif
got really noisy

a real solution is going to take a bit longer,
sorry.

sigh, so measurement is harder than it looks.

(oh wait, we knew that..)

k

Chris_Woodfield2 · August 1, 2001, 9:30pm

heh, maybe someone can take the worm code and use it to apply the IIS
patch instead of DoS'ing the White House...

-C