RE: code red goes on

To: "Ian Perry" <iperry@inertia.com.au>
Cc: <debian-user@lists.debian.org>
Subject: RE: code red goes on
From: John Griffiths <john@capmon.com>
Date: Mon, 06 Aug 2001 09:32:33 +0000
Message-id: <[🔎] 3.0.5.32.20010806093233.03afde60@mailhost.capmon.com>
In-reply-to: <[🔎] 006101c11e04$74257980$127509d2@inertia.com.au>
References: <[🔎] 87ae1hcmk4.fsf@wesley.springies.com>

>
>There has definately been a change in the original form of the attacks from
># GET /default.ida?NNNNN -snip- NN%u9090% -snip- 0%u00=a  HTTP/1.0
>to
># GET /default.ida?XXXXX -snip- XX%u9090% -snip- 0%u00=a  HTTP/1.0
>The second packet is also much shorter (with less X's), although the tail is
>the same.
>
>The increase in traffic over the last few days has been marked.
>
>Sept  -	0 hits
>1 Aug	-	3 hits	0.1 per hr
>2 Aug - 	22 hits	0.9/hr
>3 Aug - 	33 Hits	1.4/hr
>4 Aug -	41 Hits	1.7/hr
>5 Aug -	167 Hits	6.9/hr
>6 Aug - 	79 Hits	10.0/hr (only 8 hrs of data)
>
>I can see this is going to be a real problem in the upcoming weeks.
>
>I have noticed on the end of each access in the log, Apache gives "404 205"
>404 I guess means page not found, but on two occassions it looks like
>it gave a "200 - ".  Strange.  I thought a valid access was 200.
>
>Ian
>

Code Reds Mark II and III have already been identified, doing much more maicious things and spreading with better randomisation

Hopefully a "cheese worm" equivalent will be relased to stomp on this before we get to 20 Jul and the biggest DDoS in hiustory kicks off.

Reply to:

Follow-Ups:
- Re: code red goes on
  - From: "Karsten M. Self" <kmself@ix.netcom.com>
- Re: code red goes on
  - From: Dave Sherohman <esper@sherohman.org>

References:
- Re: code red goes on
  - From: Alan Shutko <ats@acm.org>
- RE: code red goes on
  - From: "Ian Perry" <iperry@inertia.com.au>

Prev by Date: Netatalk: job could not be printed
Next by Date: xdvi doesn't work, fontset?
Previous by thread: Re: code red goes on
Next by thread: Re: code red goes on
Index(es):
- Date
- Thread