Code Red II appears to have a high attack rate. A number of factors seem to be contributing to the observed data. This worm spawn either 300 or 600 scanning threads. The original worm and its variant only spawned 100. This worm uses non-blocking I/O during the connection phase. It will skip over hosts that are unresponsive quickly. The original worm and its variant would block until the connect either succeeds or timed-out. This worm display locality. Its more likely to attack machines near itself in the IP address space. Since the IP address space is mostly sparse with machines bunched in some areas this is a more effective method of finding other vulnerable machines that uniformly and randomly selecting IP address across all of the IP address space, the method used by the original worm and its variant. Also, because of the locality it display the same IP addresses are more likely to be attacked multiple times leading any single person to see more attacks than normal if the worm has infected a machine within its IP address space neighborhood. The flip side is that it may take longer for the worm to jump from one IP address "island" to another. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 17:26:44 PDT