Here is my experience since Saturday My Personal IIS4 Server www.awacs.co.nz start to receive this attack on Saturday and since then it has averaged 8 packets every 36 seconds or so.. Other Work that I caused this address to server an average ~8,400 unique sessions a day this related to my hosting of www.rnz.org.nz (previously www.rnz.co.nz) the BBC World and other media users. The attack is so regular in time it looks like one two or three broadcast computers which spoof there IP addresses and are robotically broadcasting to a known set of IP addresses. The purpose of which is/was to both take control and hack the Home page to say hacked by Chinese and redirect to www.worm.com. The www.worm.com connection appears to also have been planned to be a Trojan Web site. Their Domain record shows that a modification was made to the Domain Record at exactly the time the Code Red worm went into the wild. I have used a packet analyser to capture the sessions and find one of the fixed commonalities amongst the inbound packets from differing IP address is the value for the "Window" (example=17520 )in the TCP Header - but as I am not sure what to read into this value. Session Packet sizes Inbound are as follows, so you are getting billed a lot more than the single Packet Bytes 62 60 60 1514 HHTP Buffer overload 1514 Binary Payload 1169 Binary Payload 60 60 I started logging the Web packets on Tuesday and the statistics where 3036 2357 2353 (24hour periods) attacks. (regular) In speaking with the USA they think there are 5000 hosts out there blasting away... but this would cause statistical connection surges in time and this is not happening... so I think there is a small finite number of computers As we know the Destination Target IP addresses (me) would it not be possible to use this to track the path that these attacks are coming from... Michael Sutton www.awacs.co.nz +64 21 305500
-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Dean Pemberton Sent: Friday, July 20, 2001 11:01 To: Juha Saarinen Cc: 'Simon Lyall'; nznog(a)list.waikato.ac.nz Subject: Re: Full analysis of the .ida "Code Red" worm.
I'm dumping the SYN so I get away with that as the only traffic
On Fri, Jul 20, 2001 at 10:42:16AM +1200, Juha Saarinen wrote:
:: Yeah thats a really good point - now that I'm on the Telstra :: Aus special plan of :: 3G-a-month-because-we-reneged-on-out-flatrate-agreement :: :: I bet this is going to chew into my downloading quota
How big is each request:
64.54.50.43 - - [20/Jul/2001:10:18:24 +1200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9 090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 330 "-" "-"
?
Spoke to a Clear customer who counted 114 hits from this morning only. :-(
-- Juha
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog