I posted this chart before showing non-legitimate http syn scans targeting my class-b address space on 07/19 broken down by hour (EDT, GMT-4); probable code red probes. However I did some further crunching and added an additional column showing the number of destination addresses within my class-b address space being targeted by non-legitimate http syn scans during that 60 minute timeframe. Note that the number of addresses being targeted held steady and then suddenly jumped until it covered nearly the entire class-b range. This jump coincides with the increase in source addresses scanning. Worm variant? Or sudden increase in efficiency? # Unique Source # Unique Dest Hour # Code Red Worm Scans Addresses Scanning Addresses being EDT Scanned ----- --------------------- -------------------- --------------- 00 12699 2450 562 01 13059 2577 562 02 13272 2590 541 03 13056 2564 525 04 13283 2632 507 05 13229 2612 502 06 13554 2601 468 07 13517 2608 506 08 13746 2685 612 09 16819 3325 1724 10 36589 7838 8338 11 116083 26823 28462 12 295348 68085 51459 13 466542 103522 59699 14 520973 113451 60881 15 513513 115124 60814 16 513894 90931 60900 17 499642 111175 60469 18 480850 106215 59987 19 449712 97699 58908 20 26687 7319 8507 21 9197 2181 3046 22 7782 1814 2570 23 7056 1648 2343 Ken Eichman Senior Security Engineer Chemical Abstracts Service Tel: (614) 447-3838 ext 3230 2540 Olentangy River Road Fax: (614) 447-3855 Columbus, OH 43210 Email: keichmanat_private
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 12:56:54 PDT