Data Sources

• Data collected from a /8 network, and for July 19th CodeRed, two /16 networks at Lawrence Berkeley Laboratories (LBL)

• 1/256th of total address space monitored

• Machines sending TCP SYN packets to port 80 of nonexistent hosts considered infected

• Packet headers with some gaps, and 1 in 4 sampled netflow

• No SYNACK ==> no worm payload

Previous slide

Next slide

Back to first slide

View graphic version