[Snort-users] code red warning

Andrew Daviel andrew at ...523...
Fri Oct 12 11:05:10 EDT 2001


On Fri, 12 Oct 2001, Paul Millar wrote:

> I'm getting regular attacks from Code Red which seems to be originating
> from the 213.123.x.x block of IP addresses - all of these are coming
> from btopenworld and btinternet users.

I believe that Code Red II has an affinity for ones local subnet,
so that if you are on 24.0.0.0/8 you see lots of traffic from 24.0.0.0/8
and so on. On 142.90/16 we see lots from 142.0.0.0/8; see
http://andrew.triumf.ca/codered/tcp.2001090522.3.gif
We have seen over 2.5 million distinct source addresses since
July, see http://andrew.triumf.ca/codered/build.log.png (log base e)

I spoke to someone at one our our most persistant attacking ISPs and they
basically said they do triage and contacting dialup users who have less
bandwidth and less capacity to do damage is at the bottom of the list, but
that they will get to it eventually.

Some commentary I read in a network ezine suggested that Microsoft's
careless default install of IIS may have polluted port 80 permanently.

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...





More information about the Snort-users mailing list