RE: code red goes on
>
>There has definately been a change in the original form of the attacks from
># GET /default.ida?NNNNN -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0
>to
># GET /default.ida?XXXXX -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0
>The second packet is also much shorter (with less X's), although the tail is
>the same.
>
>The increase in traffic over the last few days has been marked.
>
>Sept - 0 hits
>1 Aug - 3 hits 0.1 per hr
>2 Aug - 22 hits 0.9/hr
>3 Aug - 33 Hits 1.4/hr
>4 Aug - 41 Hits 1.7/hr
>5 Aug - 167 Hits 6.9/hr
>6 Aug - 79 Hits 10.0/hr (only 8 hrs of data)
>
>I can see this is going to be a real problem in the upcoming weeks.
>
>I have noticed on the end of each access in the log, Apache gives "404 205"
>404 I guess means page not found, but on two occassions it looks like
>it gave a "200 - ". Strange. I thought a valid access was 200.
>
>Ian
>
Code Reds Mark II and III have already been identified, doing much more maicious things and spreading with better randomisation
Hopefully a "cheese worm" equivalent will be relased to stomp on this before we get to 20 Jul and the biggest DDoS in hiustory kicks off.
Reply to: