David Kennedy CISSP wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > I started getting hit @ 13:09:55 UTC this morning. My sensor have > not been touched since 19:15:10 UTC this afternoon. Well, in the 212 netblock it is still going on, even though the rate has been approximately halving every hour for the last two hours. The last hit so far was at 23:48:31 UTC. Originally, about 10% came from all over the /8 I'm in, but for the last hour, it has been all from my /16. > Hypothesis: It's exhausted the IP space that would touch my IP's Only possible if the scans expire after a period of time roughly matching a fast bandwidth - otherwise, I'd expect scans from boxes with ISDN connectivity to continue long after high-bandwith machines have finished. In any case, it seems to scan extremely fast, and as I saw a decline on the sources outside my /16 rather than a growing number, /8-scanning seems to stop at some time before it can possibly be finished. By the way: So far, I have only been hit by one single instance of the full Nimda pattern from outside 212/8 (and that machine may have had another interface in 212, its ISP has netblocks in 212) - the initial infection spreading across netblocks will probably have used a different pattern, or I'd have expected at least a few odd hits preceding todays outbreak. > or > it's turned itself off (if so will it turn itself on tomorrow ~1300 > UTC?) Hardly by UTC, as it is still going on in the RIPE address space I'm in. It could act on local time, or, more likely, it might be time fused to stop after some period of activity. Sevo ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 17:11:39 PDT