Question about codered worm

Drake Diedrich dld at
Thu Aug 16 01:34:16 EST 2001

On Thu, Aug 09, 2001 at 10:58:30PM +1000, David Murn wrote:
> We've been under attack from this virus for about the last week and have
> logged 5200 SYN packets in just over 4 minutes.  At 68 bytes each this is
> 353k.  Meaning 12minutes of this attack is 1mb, or 5mb per hour.  Meaning

   Yikes!  That's half your bandwidth!  I'm similar, but have only had 10%
of the load you're getting. Just turned off my web server so I'll only be
getting unacknowledged SYNs.   The proper respose of course is for ISPs to
disconnect *INFECTED* hosts, not us victims.  How long should we wait for

  Alternatively, there's the Vigilante project: I have to admit being tempted, but I'm not
running Java just to do this, and who can be bothered going to court to save
the Internet.

   Wasn't securityfocus collecting IP addresses of infected machines?
Personally, I wish I had an AS so I could just blackhole any class C that
probed me even once..  Might be something to consider at the AARNET level

   Hmm, legal responses to codered probes..  Accept the connection and
return as much data as possible, to run out their quotas (assuming these are
home users not on an unlimited plan, or to punish their ISP)?  If widespread
enough I imagine that could start to have an impact (getting infected hosts
removed from the Internet..).  It could even be instructions on how to
remove codered..

More information about the linux mailing list