It seems that Nimda has some strong locality properties when spreading. Evaluating logs on a server which listens on an obscene number of virtual network interfaces with consecutive IP addresses, all in the same /24, I'm seeing the following distribution of "classical" netmasks (/n*8) with respect to the attacking hosts (unique IP addresses encountered in the logs): /16 1 /8 1127 /0 242 I don't see any /24s, but that's because there are no vulnerable hosts in that particular class C network. This means, in particular, that the probability for Nimda to attack a host in the same /8 portion of the IP address space is approximately 5 times the probability to attack a host which is in some entirely "distant" region of the network. It also seems like there is no special handling of /16 networks in the worm: Out of the 215 distinct /16 prefixes encountered (which do, however, still share the same /8 prefix with the attacked host's IP addresses), 36 make an appearance with only one unique IP address in my logs. The /16 prefix of the attacked host just happens to be one of these. -- Thomas Roessler http://log.does-not-exist.org/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 19:14:27 PDT