Security Incidents mailing list archives
Re: Nimda mostly infects /8-locally.
From: Bryan Andersen <bryan () visi com>
Date: Tue, 18 Sep 2001 22:40:47 -0500
Thomas Roessler wrote:
It seems that Nimda has some strong locality properties when spreading. Evaluating logs on a server which listens on an obscene number of virtual network interfaces with consecutive IP addresses, all in the same /24, I'm seeing the following distribution of "classical" netmasks (/n*8) with respect to the attacking hosts (unique IP addresses encountered in the logs): /16 1 /8 1127 /0 242
These numbers are to one IP address only. total outside smaller spaces --------- ---------------------- /0 158 9 /8 149 133 /16 16 16 /24 0 0 The /24 I'm in is sparcely populated. It does seam to be favoring the /16 some over the /8. At this time 10:40pm CDT (-500) I'm mostly seeing repeats, with only a few new ip addresses. -- | Bryan Andersen | bryan () visi com | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Nimda Probes Stopped Jason Giglio (Sep 18)
- Re: Nimda Probes Stopped Stuart Staniford (Sep 18)
- Nimda mostly infects /8-locally. Thomas Roessler (Sep 18)
- Re: Nimda mostly infects /8-locally. Bryan Andersen (Sep 18)
- <Possible follow-ups>
- RE: Nimda Probes Stopped Andrew Blevins (Sep 18)
- RE: Nimda Probes Stopped Jonathan Rickman (Sep 18)
- Re: Nimda Probes Stopped Stuart Staniford (Sep 18)
- RE: Nimda Probes Stopped Robert Nieuwhof (Sep 19)
- RE: Nimda Probes Stopped Jeff Peterson (Sep 19)