Code Red growth stats

Steve_Bellovin · August 2, 2001, 2:35am

Fascinating; thanks. SANS hasn't updated their plots lately, so I
can't compare. Anyone else with any data to post? (On the other hand
-- any chance that the dip recorded at CAIDA is due to the measurement
problems?)

If it has indeed turned up again, I'm at a loss to explain it. While
I'm sure there are some IIS servers on home machines, I doubt there are
that many. But I don't have another explanation to offer.

--Steve Bellovin, http://www.research.att.com/~smb

_Greg_A_Woods · August 2, 2001, 2:00am

[ On Wednesday, August 1, 2001 at 22:35:46 (-0400), Steven M. Bellovin wrote: ]

Subject: Re: Code Red growth stats

Fascinating; thanks. SANS hasn't updated their plots lately, so I
can't compare. Anyone else with any data to post? (On the other hand
-- any chance that the dip recorded at CAIDA is due to the measurement
problems?)

I've only a /24 to compare with, and only about four active web servers
in that network, but I too saw a lull in scans between 17:47 EDT and
20:10 EDT, however there've been five more since at fairly regular
intervals.

01/Aug/2001:07:47:00 211.100.16.141
01/Aug/2001:11:13:32 dhcp065-025-142-096.columbus.rr.com
01/Aug/2001:11:36:28 211.104.130.97
01/Aug/2001:11:37:48 h216-170-041-250.adsl.navix.net
01/Aug/2001:12:26:46 195.146.34.114
01/Aug/2001:14:22:19 211.116.199.60
01/Aug/2001:15:37:05 a010-0101.appl.splitrock.net
01/Aug/2001:16:30:27 dial-208.51.228.48.northnet.org
01/Aug/2001:17:21:15 211.214.203.235
01/Aug/2001:17:47:33 ip-208-181-104-133.adsl.radiant.net
01/Aug/2001:20:10:17 caerang03.cie.hallym.ac.kr
01/Aug/2001:20:18:59 209.211.131.148
01/Aug/2001:20:40:27 61.163.79.74
01/Aug/2001:20:49:19 nas3-099.ras.mcy.cantv.net
01/Aug/2001:21:03:58 61.151.228.177

(the above in-addr.arpa results are not verified....)

That's still not quite as many as I saw on the first go-around. Since
I've not previously posted anything about the first event here are my
logs from one of my web servers from that time too:

19/Jul/2001:10:37:39 216.79.3.41
19/Jul/2001:11:22:53 209.92.42.120
19/Jul/2001:12:37:11 134.192.24.73
19/Jul/2001:12:43:12 213.255.49.180
19/Jul/2001:12:49:58 205.162.159.96
19/Jul/2001:13:13:45 24.147.51.243
19/Jul/2001:13:49:44 64.132.84.30
19/Jul/2001:14:28:57 199.203.240.11
19/Jul/2001:14:40:26 24.168.204.41
19/Jul/2001:15:18:18 62.161.216.70
19/Jul/2001:15:32:18 136.142.118.80
19/Jul/2001:16:14:37 202.129.210.253
19/Jul/2001:16:15:49 192.38.48.20
19/Jul/2001:16:16:45 216.148.71.91
19/Jul/2001:16:37:12 64.67.218.130
19/Jul/2001:16:39:44 202.102.193.234
19/Jul/2001:16:40:21 64.14.215.217
19/Jul/2001:16:47:19 216.94.148.40
19/Jul/2001:17:18:35 209.217.62.130
19/Jul/2001:18:14:18 66.89.37.10
19/Jul/2001:18:17:22 66.20.182.70
19/Jul/2001:18:38:00 211.250.146.1
19/Jul/2001:18:46:27 213.56.240.94
19/Jul/2001:19:01:13 61.222.36.68
19/Jul/2001:19:09:25 204.254.123.50
19/Jul/2001:19:45:26 24.177.242.76
21/Jul/2001:20:20:43 211.255.252.190

If it has indeed turned up again, I'm at a loss to explain it. While
I'm sure there are some IIS servers on home machines, I doubt there are
that many. But I don't have another explanation to offer.

Home machines being powered on (or connected) in other timezones as
people return home from work/school, etc.?

Dave_Stewart1 · August 2, 2001, 2:43am

I'd bet there are way more than we think:

ac96a2b4.ipt.aol.com - - [01/Aug/2001:20:37:10 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-"

Ryan_Tucker · August 2, 2001, 3:17am

I monitored a couple web servers for probes today... out of a good 20 or so probes, only 1 looked like a legitimate server. I don't have the data here to do a complete analysis, but the single largest group of infected machines were behind ADSL. Cable and dialup (!) were also well-represented.

It looks like a lot of servers got patched (given an equal number of average servers and average home connections, I'd expect more probes from the servers due to home connections usually having crippled upstreams), but now we're down mostly home machines, which much of the press coverage said were not a problem.

I also noticed probes dropped off suddenly after about 4:30pm EDT (2030 GMT). It went from about 5 per hour to one the rest of the evening. Gratuitous arping dropped off about that time as well.

These observations are only valid to about 8pm or so... got bored and went home. -rt

k_claffy1 · August 2, 2001, 4:37am

Fascinating; thanks. SANS hasn't updated their plots lately, so I
  can't compare. Anyone else with any data to post? (On the other hand
  -- any chance that the dip recorded at CAIDA is due to the measurement
  problems?)

different problems; i don't think so.

graph of patch rate (we haven't plotted tonite's numbers yet)

http://worm-security-survey.caida.org/patching.gif

suggests that the news coverage did have a slight positive
effect on patch rate

also by AS and per country as of 20:00 GMT
http://worm-security-survey.caida.org/AS_summary.txt

  If it has indeed turned up again, I'm at a loss to explain it. While
  I'm sure there are some IIS servers on home machines, I doubt there are
  that many. But I don't have another explanation to offer.

other possibilities
  -- college students going home to start up their web servers?
  -- windows servers whose MCSE's rebooted them,
     and then went home at 5, believing it fixed...
     but just getting reinfected? (-sfd suggestion)

we could do the AS_summary for hosts infected _after_
the increase re-started, and see if it's strongly
disproportionate to hosts behind certain type of providers

haven't done yet

Daniel_Senie2 · August 2, 2001, 12:13pm

Indeed. I've seen 1215 probes since the start of August, and a rough glance shows something like 30% or more are dialups, cable modems and DSL lines. Better than 50% appear to be addresses without INADDR.

I've written a script that produces a file of the addresses or INADDR names that appear in the probes to our web servers. We run Apache, and so are only affected insofar as there's extra load. If there's interest, I could make the resultant file available for web download, and set it up to run daily.

Kevin_Houle1 · August 2, 2001, 1:13pm

For what it's worth, the "wake-up" of previously sleeping worm
threads may be a contributing factor. In lab tests, a wake-up
happens at variable times, measured in hours, after midnight UTC
with all three versions we have tested (the system clock is not
checked during lengthy sleep() calls).

At the moment of wake-up, the rate of scanning (in a vaccuum)
is around 160 hosts/hour. The scanning rate on a host infected
during the scanning time of the month is over 50,000 hosts/hour
(again, in a vaccuum). The difference being the number of threads
actively scanning; it would appear not all threads wake up at
the same time.

So, over time, the rate of scanning and the scope of address
coverage should increase even if the true number of infected
hosts does not. There will be a point where everything that's
going to wake up has woken up, but I don't know where that
point is.

Kevin