It seems as if the Code Red worm has gone to sleep for now, at least so far as we can tell. It will be interesting to see what happens when it re-awakens. My previous email noted that the ARIS project would be notifying as many IP's as we could about possible infections of the worm. To that end we notified against 172,066 unique IP's within 27,640 unique domains. We owe a special thanks to Vern Paxson of LBL in this regard for supplying a significant amount of data alongside our own ARIS data. Some notes of interest: List of the largest bulk offenders: 923 Level3.net 1159 cnc.net 1251 shawcable.net 1309 att.net 1363 bellatlantic.net 1404 wanadoo.fr 1438 gtei.net 1452 btinternet.com 1705 mindspring.com 1709 swbell.net 1905 bellsouth.net 2358 mediaone.net 2395 uu.net 2496 aol.com 2909 hinet.net 3870 pacbell.net 4148 t-dialin.net 5940 rr.com As I said earlier, the traffic seems to have dropped off. This is a graph showing this attack alongside the rest of the Internet noise( in terms of attacks trending up), the cessation is readily apparent: http://www1.securityfocus.com/data/staff/trended3.pdf Cheers, -al VP Engineering SecurityFocus.com "Vae Victis" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 18:47:47 PDT