Thomas Roessler wrote: > > It seems that Nimda has some strong locality properties > when spreading. > > Evaluating logs on a server which listens on an obscene number of > virtual network interfaces with consecutive IP addresses, all in the > same /24, I'm seeing the following distribution of "classical" > netmasks (/n*8) with respect to the attacking hosts (unique IP > addresses encountered in the logs): > > /16 1 > /8 1127 > /0 242 These numbers are to one IP address only. total outside smaller spaces --------- ---------------------- /0 158 9 /8 149 133 /16 16 16 /24 0 0 The /24 I'm in is sparcely populated. It does seam to be favoring the /16 some over the /8. At this time 10:40pm CDT (-500) I'm mostly seeing repeats, with only a few new ip addresses. -- | Bryan Andersen | bryanat_private | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 22:15:30 PDT