I guess the picture that's emerging is that the worm has stopped probing in some parts of IP-space, but is still probing in others. That suggests it can't have a hard time-based turn off, but could have some other kind of limit to how much it scans built in. We've got several ways of seeing the worm in different places, and the probe rate graphs do not appear consistent (it's not like Code Red where there was roughly consistent behaviour everywhere). We're still far from understanding the worm code properly, but as far as we can tell so far, it only seems to access the system time once (it puts it into a registry variable). It does seem to be keeping track of its own cpu time usage for some reason. Homer Wilson Smith wrote: > > > We're still seeing several probes per second into a /17, though the rate is > > noisy. The probe rate is not going up any more - suggesting some degree of > > saturation. Are you sure someone upstream of you didn't apply some filter? > > > What kind of filter? I've heard reports of some ISPs disallowing inbound port 80 syns into some portions of their address space. I wanted to rule out some explanation like that. Stuart. -- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuartat_private http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 19:54:17 PDT