Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Infocon - SANS Internet Storm Center Infocon

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The intent of the 'Infocon' is to reflect changes in malicious traffic and the possibility of disrupted connectivity. In particular important is the concept of "Change". Every host connected to the Internet is subject to some amount of traffic caused by worms and viruses. However, once a worm has been identified and the number of infected machines is no longer increasing, this traffic is not likely to cause any disruptions.

The Infocon is intended to apply to the condition of the Internet infrastructure. We do not monitor particular nations or companies.

Link To Current Infocon Status

You may use the following html code to link to the current Infocon status:

In addition to the graphic, we offer two text feeds. The text feed can take up to 15 minutes to update.

  • infocon.txt: The Infocon color. Just one word in plain text
  • daily_alert.html: The daily alert. Infocon and handlers diary headline as minmal HTML feed for inclusion in web sites

For fans of RSS newsfeeds, check our RSS feed at rssfeed.xml

If we change the Infocon, we try to remain at the same level for at least 24 hrs.

Applications and Widgets

Infocon Definition

Infocon images below use a white background. Transparent images are available by adding "_transparent" such as status_blue_transparent.gif.

Everything is normal. No significant new threat known.
This status is used for testing only. Everything is normal. No significant new threat known.
We are currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: 'MSBlaster' worm outbreak.
A major disruption in connectivity is imminent or in progress. Examples: Code Red on its return, and SQL Slammer worm during its first half day
Loss of connectivity across a large part of the internet.

Infocon Rubric

A score of 6 or greater moves Infocon up to Yellow, and 10 or greater moves us to Orange.

How we score the Infocon status:

  • +2 Slammer-like impact on Internet wide operations
  • +2 Remote arbitrary code execution
  • +2 No vendor patch or effective mitigation is available
  • +2 Active exploitation of vulnerability
  • +1 Affects current version of up to date software
  • +1 Affects widely deployed software
  • +1 Relatively easy to exploit
  • +1 Proof of concept code is available
  • +1 Affects current version of up to date software
  • +1 Affects a Microsoft OS or Adobe application
  • +1 Wormable
  • -1 Affects obscure or obsolete OS or application
  • -1 Requires user intervention to run
  • -1 IDS/IPS rules or other detective controls are available
  • -1 Major anti-virus vendors can detect and clean malware
  • -1 Mainstream media and everyone else has already covered issue
  • -1 Vendor has released an advisory/bulletin/announcement (and decent workaround)

(Partial) Infocon History

This table summarizes past infocon changes. Not every single event is covered. (Eg. Code Red was our first event that caused us to go to 'Yellow' and later briefly to 'Orange')

Jan 23 2015YellowAdobe Flash Vulnerabilities
Sep 26 2014YellowBash Shellshock
Apr 08 2014YellowOpenSSL Heartbleed
Mar 16 2012YellowMS12020 Windows RDP Vulnerability
Sep 28 2010YellowMS10070
Jul 19 2010YellowLNK Vulnerability in Windows
Jul 13 2009YellowMS Office Web Components ActiveX
Oct 23 2008YellowMicrosoft RPC Patch MS08067
May 15 2008YellowDebian SSL Keys
Mar 31 2007YellowANI Exploit
Mar 23-24 2006YellowcreateTextRange exploit
Dec 31st 2005-Jan 5th 2006YellowWMF flaw
Dec 27th 2005YellowWMF flaw
Nov 21-22 2005YellowWindow() MSIE 0-day
Oct 19-20 2005YellowSnort Exploit
Aug 12-18 2005YellowPnP Bot/Worm (Zotob)
May 1-4 2004YellowSasser Worm
Mar 20-22 2004YellowWitty Worm
Sep 10-12 2003YellowRPC exploit
Aug 11-15 2003YellowMSFT Blaster
Mar 17-20 2003YellowIIS WebDav Exploit
Jan 25-28 2003YellowSQL Slammer
Sep 19 2002YellowSlapper Worm