Just for fun, I sniffed the traffic coming into my cable modem. Basically I see a ton of ARP requests. Why I am seeing so many seemed a tad weird since the whole point of arp is to prevent excessive traffic since the mac to ip binding will be cached. I am seeing about 12 Pps and they are all going to the 48.bit address of ff-ff-ff-ff-ff-ff(broadcast). All of the http traffic I am seeing is very minimal so it appears the code red worm has died down.
The bottom line is Kindness is that I think you are seeing the normal everyday traffic because cable is a shared medium so you will see traffic from just about every damn person on your subnet. Here is a text version of 3 captured packets out of the 1200 or so I captured.


- - - - - - - - - - - - - - - - - - - - Frame 668 - - - - - - - - - - - - - - - - - - - -
\"Flags \",\"Frame \",\"Delta Time \",\"Destination \",\"Source \",\"Bytes\",\"Protocol \",\"Summary\"
" "," 668","0.039.137 ","Broadcast ","Motrla1AC0D3 "," 60 ","ARP"," C PA=[24.0.88.68] PRO=IP"
DLC: ----- DLC Header -----
DLC:
DLC: Frame 668 arrived at 20:52:05.3859; frame size is 60 (003C hex) bytes.
DLC: Destination = BROADCAST FFFFFFFFFFFF, Broadcast
DLC: Source = Station Motrla1AC0D3
DLC: Ethertype = 0806 (ARP)
DLC:
ARP: ----- ARP/RARP frame -----
ARP:
ARP: Hardware type = 1 (10Mb Ethernet)
ARP: Protocol type = 0800 (IP)
ARP: Length of hardware address = 6 bytes
ARP: Length of protocol address = 4 bytes
ARP: Opcode 1 (ARP request)
ARP: Sender's hardware address = 08003E1AC0D3
ARP: Sender's protocol address = [24.0.88.1]
ARP: Target hardware address = 000000000000
ARP: Target protocol address = [24.0.88.68]
ARP:
ARP: 18 bytes frame padding
ARP:
ADDR HEX ASCII
0000: ff ff ff ff ff ff 08 00 3e 1a c0 d3 08 06 00 01 | ÿÿÿÿÿÿ..>.ÀÓ....
0010: 08 00 06 04 00 01 08 00 3e 1a c0 d3 18 00 58 01 | ........>.ÀÓ..X.
0020: 00 00 00 00 00 00 18 00 58 44 61 77 e4 78 00 00 | ........XDawäx..
0030: 61 11 06 02 ff ff ff ff ff ff 08 00 | a...ÿÿÿÿÿÿ..

- - - - - - - - - - - - - - - - - - - - Frame 669 - - - - - - - - - - - - - - - - - - - -
\"Flags \",\"Frame \",\"Delta Time \",\"Destination \",\"Source \",\"Bytes\",\"Protocol \",\"Summary\"
" "," 669","0.002.287 ","Broadcast ","Motrla1AC0D3 "," 60 ","ARP"," C PA=[24.6.254.140] PRO=IP"
DLC: ----- DLC Header -----
DLC:
DLC: Frame 669 arrived at 20:52:05.3882; frame size is 60 (003C hex) bytes.
DLC: Destination = BROADCAST FFFFFFFFFFFF, Broadcast
DLC: Source = Station Motrla1AC0D3
DLC: Ethertype = 0806 (ARP)
DLC:
ARP: ----- ARP/RARP frame -----
ARP:
ARP: Hardware type = 1 (10Mb Ethernet)
ARP: Protocol type = 0800 (IP)
ARP: Length of hardware address = 6 bytes
ARP: Length of protocol address = 4 bytes
ARP: Opcode 1 (ARP request)
ARP: Sender's hardware address = 08003E1AC0D3
ARP: Sender's protocol address = [24.6.254.1]
ARP: Target hardware address = 000000000000
ARP: Target protocol address = [24.6.254.140]
ARP:
ARP: 18 bytes frame padding
ARP:
ADDR HEX ASCII
0000: ff ff ff ff ff ff 08 00 3e 1a c0 d3 08 06 00 01 | ÿÿÿÿÿÿ..>.ÀÓ....
0010: 08 00 06 04 00 01 08 00 3e 1a c0 d3 18 06 fe 01 | ........>.ÀÓ..þ.
0020: 00 00 00 00 00 00 18 06 fe 8c 45 00 00 1c b7 43 | ........þŒE...·C
0030: 61 11 06 02 ff ff ff ff ff ff 08 00 | a...ÿÿÿÿÿÿ..

- - - - - - - - - - - - - - - - - - - - Frame 670 - - - - - - - - - - - - - - - - - - - -
\"Flags \",\"Frame \",\"Delta Time \",\"Destination \",\"Source \",\"Bytes\",\"Protocol \",\"Summary\"
" "," 670","0.002.476 ","Broadcast ","Motrla1AC0D3 "," 60 ","ARP"," C PA=[24.1.126.226] PRO=IP"
DLC: ----- DLC Header -----
DLC:
DLC: Frame 670 arrived at 20:52:05.3907; frame size is 60 (003C hex) bytes.
DLC: Destination = BROADCAST FFFFFFFFFFFF, Broadcast
DLC: Source = Station Motrla1AC0D3
DLC: Ethertype = 0806 (ARP)
DLC:
ARP: ----- ARP/RARP frame -----
ARP:
ARP: Hardware type = 1 (10Mb Ethernet)
ARP: Protocol type = 0800 (IP)
ARP: Length of hardware address = 6 bytes
ARP: Length of protocol address = 4 bytes
ARP: Opcode 1 (ARP request)
ARP: Sender's hardware address = 08003E1AC0D3
ARP: Sender's protocol address = [24.1.126.1]
ARP: Target hardware address = 000000000000
ARP: Target protocol address = [24.1.126.226]
ARP:
ARP: 18 bytes frame padding
ARP:
ADDR HEX ASCII
0000: ff ff ff ff ff ff 08 00 3e 1a c0 d3 08 06 00 01 | ÿÿÿÿÿÿ..>.ÀÓ....
0010: 08 00 06 04 00 01 08 00 3e 1a c0 d3 18 01 7e 01 | ........>.ÀÓ..~.
0020: 00 00 00 00 00 00 18 01 7e e2 00 00 8a 8f 13 00 | ........~â..Š..
0030: 61 11 06 02 ff ff ff ff ff ff 08 00 | a...ÿÿÿÿÿÿ..

Kindness, check this out..



You're being hit by code red II.

Here are some links from another discussion board:

Check www.grc.com

I just got around to looking at my apache log - right now 2500 code red hits and counting

Dan

With Verizon DSL here and this mess all started on Aug 1st... I must have had at least 10,000+ hits
and rapidly increasing!

hmmm... that's weird... you guys seem to be hit far worse than me by the code red stuff.

I just checked my apache logs:

From exactly 8 pm last night to right now (5:56 am) I have gotten 364 hits on the Zone alarm. That's a little over one hit every 2 minutes. Really strange.

Most that are spreading this CodeRed crap are running Win2K server and in my instance, those with VerizonDSL are causing a major headache because the use of servers and VPN is allowed.

Call 1-877-222-2375 go through the options to reach support and just prior to reaching them there is a speal on CodeRed