Re: CRv2 multiple scans from same source IP

[Andy Berkheimer <andy () tho org>]

> On Mon, 6 Aug 2001, corecode wrote:
>
> > it could generate the same ip address again in it's PRNG but the chance
> > this happening is near 0.
>
> You're saying that the chance it will try a duplicate IP again later is 0?
> Not quite 0...
>
> (1/(254*254))*3/8 + (1/(254*254*254))*4/8 =~ 0.00000584, or 0.000584%.
> Which means 1 out of about 171,144 generated numbers will be a dupe.  I
> don't know what the average scan rate of this thing is, but if we assume
> 300 threads at 10 seconds each average to either deliver payload or time
> out,  that's 95 minutes between dupes average.
>
> My logs also bear out that dupes are common.

Don't forget the birthday paradox.

If the odds of any two generated numbers being the same is 1/171,144,
then there are better than 50/50 odds that you will find a duplicate
in any selection of ~500 IP addresses generated by the propogating worm.

Given 300 threads running, dupes from CRII should be very common.

-andy

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com