Question about codered worm

Sam Couter sam at
Tue Aug 7 17:04:35 EST 2001

Martijn van Oosterhout <kleptog at> wrote:
> Over the past 24 hours, our firewall here has blocked over 250,000
> connection attempts to bogus IPs generated by this worm. (We're blocking
> almost an entire class C here). That's about 40 per host per hour. Anyway,
> what I was wondering was:
> - Does seem abnormally high to anyone?

Not from what I can tell on our web servers. This second worm seems far more
aggressive than the first one.

Because of the way the worm generates the random IP addresses to attack, the
rate at which you get attacked will depend on how many hosts in your class B
network block are also infected.

> - In a sense we're paying for this traffic, so I was wondering if anyone
> had had any luck trying to convince their upstream provider to block the
> traffic.

That would depend who your upstream provider is. I'd guess that Telstra will
be amazingly non-responsive. They *want* you to generate more traffic so
they can charge you for it. They also take the attitude that it's up to you
to block traffic you don't want.

But, if the connection isn't being established because of your firewall,
you're only getting SYN packets.

> - are we allowed to do smurf type attacks on offending machines to try to
> disable thier IP stacks?

Not legally (IANAL).

However, I was wishing I had the know-how and the time to write something
that responds with a payload that just shuts the machine down. That should
keep them quiet for a short while. :)

> - from what I'm seeing, the general response from everyone is to ignore the
> problem. Is this true or are people actually doing something?

SecurityFocus are running a service where you send the IP address that
attacked you and the approximate time, and they will notify the owners of
that IP address. I can't find the email address to send your list of
attacking IP addresses to at the moment. Have a look at if you like. I can't navigate the site.

> I'm sorely tempted to simply disable all logging of the problem and ignoring
> it.

We're just ignoring it so far, mostly because we don't know that we can do
anything about it.
Sam Couter          |   Internet Engineer   |
sam at    |   tSA Consulting      |
OpenPGP key ID:       DE89C75C,  available on key servers
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url :

More information about the linux mailing list