Code Red growth stats

: Fascinating; thanks. SANS hasn't updated their plots lately, so I
: can't compare. Anyone else with any data to post? (On the other hand
: -- any chance that the dip recorded at CAIDA is due to the measurement
: problems?)

: If it has indeed turned up again, I'm at a loss to explain it. While
: I'm sure there are some IIS servers on home machines, I doubt there are
: that many. But I don't have another explanation to offer.

: --Steve Bellovin,

Data from Akamai (we are not gathering all data, so this shows size
as a trend based on sampling, not absolute #):

Time Hosts New Hosts/Hour
11:00 4,782
15:00 25,600 5204.5
15:33 30,921 9674.55
16:29 37,240 6770.36
17:25 43,120 6300.00
18:23 48,885 5963.79

This is ONLY for default.ida and some pieces of "classic code red"
byte matching, off of hits to Akamai web servers - not just port 80
scans to unused IP space.

We saw almost nothing last night/yesterday.

Then today we saw it go exponential, then linear, then slow, then linear.
I can't get in to get the last-few-hours data...

We've noted 4-5 new worm signatures today, though. Luckily no
super-duper-evil ones yet.

The security and architecture elves at Akamai are owed the credit, but
if I mentioned their names the security weenies would have to kill me...


We've noted 4-5 new worm signatures today, though. Luckily no
  super-duper-evil ones yet.
avi, what's that mean? all variants
of this strain, with just different
defacement properties? or what?
we've seen one w different defacement,
but nothing significantly different.

(geez, do we now have worm thresholds for evil,
super-evil, and super-duper-evil,
and noone told me?
is that like tiers? <s> )

Actually, it *is* tiers. If they don't pay transit, they're
a tier-1 super-duper-evil one according to the beancounters.
Ones that generate billable packets are only very slightly evil :wink: