[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001d01c2c580$edadc7b0$e62d1c41@basement>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: 100 Worms per Second, Courtesy of Telstra
> Pardon my delurk, but this is very strange worm behavior. We are seeing
> 100 SQL Worms per second from a single IP address on Telstra. This is
> about 10k times the level of activity we are seeing from any other
> address.
That is certainly odd.
> Anyone here either know anyone at Telstra who can shut this off, or
> perhaps at least some explanation of why this worm instance would set
> aside its usual randomish behavior and flood us like this?
There seems to be a major weakness in the scanning pattern of this worm that
makes it flood some addresses far more extensively than others. Considering
that the entire 'random' generator is just a trivial bit shift of the system
timer, it can't be expected to be really 'random' at all.
Powered by blists - more mailing lists