Thomas Roessler wrote:
>
> It seems that Nimda has some strong locality properties
> when spreading.
>
> Evaluating logs on a server which listens on an obscene number of
> virtual network interfaces with consecutive IP addresses, all in the
> same /24, I'm seeing the following distribution of "classical"
> netmasks (/n*8) with respect to the attacking hosts (unique IP
> addresses encountered in the logs):
>
> /16 1
> /8 1127
> /0 242
These numbers are to one IP address only.
total outside smaller spaces
--------- ----------------------
/0 158 9
/8 149 133
/16 16 16
/24 0 0
The /24 I'm in is sparcely populated.
It does seam to be favoring the /16 some over the /8.
At this time 10:40pm CDT (-500) I'm mostly seeing repeats, with
only a few new ip addresses.
--
| Bryan Andersen | bryanat_private | http://www.nerdvest.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 22:15:30 PDT