> >There has definately been a change in the original form of the attacks from ># GET /default.ida?NNNNN -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0 >to ># GET /default.ida?XXXXX -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0 >The second packet is also much shorter (with less X's), although the tail is >the same. > >The increase in traffic over the last few days has been marked. > >Sept - 0 hits >1 Aug - 3 hits 0.1 per hr >2 Aug - 22 hits 0.9/hr >3 Aug - 33 Hits 1.4/hr >4 Aug - 41 Hits 1.7/hr >5 Aug - 167 Hits 6.9/hr >6 Aug - 79 Hits 10.0/hr (only 8 hrs of data) > >I can see this is going to be a real problem in the upcoming weeks. > >I have noticed on the end of each access in the log, Apache gives "404 205" >404 I guess means page not found, but on two occassions it looks like >it gave a "200 - ". Strange. I thought a valid access was 200. > >Ian >
Code Reds Mark II and III have already been identified, doing much more maicious things and spreading with better randomisation Hopefully a "cheese worm" equivalent will be relased to stomp on this before we get to 20 Jul and the biggest DDoS in hiustory kicks off.
