Code Red probes by Day
This tables shows the number of code red probes against my webserver per day.
What does this mean as far as total number of machines infected?
If we assume that a code red worm tries to infect 5 systems per second, then in one day, it will
try to infect 4e5 systems. This is approximately 1e-4 of the total Internet address space. Thus my
single IP address should see about 1e-4 of all infected machines attacking it. Thus you can multiply the
daily numbers above by 10,000 to get an approximation of the total number of infected machines.
The 5 systems per second is a guess based on the fact that it has 100 threads making connections, of which
some get rejected instantly, and some will timeout. I'm assuming an average of 20 seconds per connection.
[I also fudged the numbers so that the July 19 day came out about right -- I assumed that the total infection
was around 400,000 systems and that due to the growth, I only saw around half of the probes that I would
expect.]
Now back to the pond.