On Sunday 05 August 2001 09:34 pm, Joel Hammer wrote:
| Well, @HOME is still going strong.
| 348 hits since 5:00 am Aug4, 2001 (now is 9:30pm) here in
| Baltimore. Most of these hits are from the @HOME network.
fyi:
Worm Attack Rate
Date: Sun, 5 Aug 2001 18:19:14 -0600
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Code Red II appears to have a high attack rate. A number of factors
seem to be contributing to the observed data.
This worm spawn either 300 or 600 scanning threads. The original worm
and its variant only spawned 100.
This worm uses non-blocking I/O during the connection phase. It will
skip over hosts that are unresponsive quickly. The original worm and
its variant would block until the connect either succeeds or
timed-out.
This worm display locality. Its more likely to attack machines near
itself in the IP address space. Since the IP address space is mostly
sparse with machines bunched in some areas this is a more effective
method of finding other vulnerable machines that uniformly and
randomly selecting IP address across all of the IP address space, the
method used by the original worm and its variant.
Also, because of the locality it display the same IP addresses are
more likely to be attacked multiple times leading any single person
to see more attacks than normal if the worm has infected a machine
within its IP address space neighborhood. The flip side is that it
may take longer for the worm to jump from one IP address "island"
to another.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
--
dep
one day, you'll wish it was now.
your wish has been granted.
don't waste it.
_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users
