Hi all, Code Red continues to amaze. First I was surprised by the hundreds of individual IPs scanning my single, no-web-server IP (about 700/day the last three days). Now I'm floored by the ARP traffic. First I collected 1000 ARP packets to see how fast they were arriving: 21:58:37.540138 arp who-has 24.160.158.68 tell 24.160.158.1 21:58:37.581758 arp who-has 24.167.113.97 tell 24.167.112.1 21:58:37.618142 arp who-has 66.69.10.33 tell 66.69.10.1 21:58:37.708154 arp who-has 24.162.168.66 tell 24.162.168.1 ....continues... 21:59:38.586001 arp who-has 24.162.169.18 tell 24.162.168.1 21:59:38.806825 arp who-has 24.167.112.82 tell 24.167.112.1 21:59:38.870976 arp who-has 24.162.168.83 tell 24.162.168.1 That's roughly 1000 ARP requests in one minute 1 second, or 16.4 ARP requests per second. Then I collected 10000 ARP packets to see how the longer timespan fared: 22:00:42.877487 arp who-has 24.28.153.143 tell 24.28.153.1 22:00:42.915864 arp who-has 24.162.170.86 tell 24.162.170.1 22:00:43.086824 arp who-has 24.160.136.166 tell 24.160.136.1 22:00:43.143667 arp who-has 24.167.112.235 tell 24.167.112.1 ...continues... 22:11:30.739916 arp who-has 24.28.153.98 tell 24.28.153.1 22:11:30.868589 arp who-has 24.160.159.67 tell 24.160.158.1 22:11:31.031757 arp who-has 24.167.113.210 tell 24.167.112.1 That session showed 10000 ARP requests in 10 minutes 48 seconds, or 15.4 ARP requests per second. I've never seen anything like this. Richard http://taosecurity.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 11:28:55 PDT