Q3 2002 has been notably quieter than Q3 2001 — no Code Red equivalent, no Nimda equivalent. A short summary of what was observed.
The data
From my honeypot range:
- Total compromise attempts: similar to Q2 2002.
- Distinct sources: about 20% lower than Q2.
- Sebek captures of human-attacker activity: 6 sessions.
- Attack mix dominated by Slapper probes and continuing Code Red residuals.
What is interesting
Slapper traffic is distinctive. The P2P mesh produces specific UDP traffic patterns that are easy to identify. My structured-log analysis catches them reliably.
Code Red residuals continue. Over a year after the original outbreak, the persistent Code Red infections continue to scan. The half-life of compromised populations is much longer than I had expected.
The Sebek captures are mostly familiar patterns. The careful-attacker style I described earlier continues to be rare but observable. No new attack patterns this quarter.
What this teaches
The quieter quarter is a good thing for operators. It is also informative — the lack of major new worms suggests that the defensive infrastructure (faster patching, better filtering, Trustworthy Computing effects) is starting to raise the bar.
The specific lesson: when a quarter is quieter than expected, write down what changed. The factors are usually structural rather than coincidental.
More as the year develops.