Security Incidents mailing list archives

Re: .ida Intrusion Attempt

From: "E. Larry Lidz" <ellidz () eridu uchicago edu>
Date: Fri, 20 Jul 2001 08:53:36 -0500


Stuart Staniford writes:

show a sudden dramatic increase in the probe rate earlier this morning
(US time).  This could be consistent with a new version which is
spreading much more effectively (possibly because it seeds its random
number better).  I'm trying to fit this data.


The numbers look, loosely, like a bell curve to me. I'm not a
statistician, but isn't this loosely what we'd expect to see? That as it
compromises more machines it spreads itself asymptotically? And then,
once it hits a certain threshold people take note and start shutting
down the machines doing the attacking?

-Larry

---
E. Larry Lidz                                        Phone: (773)702-2208
Sr. Network Security Officer                         Fax:   (773)702-0559
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Re: .ida Intrusion Attempt, (continued)
- Re: .ida Intrusion Attempt Dr SuSE (Jul 19)
  - Re: .ida Intrusion Attempt bugtraq (Jul 19)
- RE: .ida Intrusion Attempt Colby Rice (Jul 19)
  - RE: .ida Intrusion Attempt Tim Winders (Jul 19)
- .ida Intrusion Attempt Joe Smith (Jul 19)
  - Re: .ida Intrusion Attempt Martin Roesch (Jul 19)
    - Re: .ida Intrusion Attempt Joe Smith (Jul 19)
- RE: .ida Intrusion Attempt Ulrich Keil (Jul 19)
- Re: .ida Intrusion Attempt Russell Fulton (Jul 19)
  - Re: .ida Intrusion Attempt Stuart Staniford (Jul 19)
    - Re: .ida Intrusion Attempt E. Larry Lidz (Jul 20)
    - Re: .ida Intrusion Attempt Kyle R Maxwell (Jul 20)