Security Incidents mailing list archives
Re: CRv2 multiple scans from same source IP
From: Andy Berkheimer <andy () tho org>
Date: Mon, 06 Aug 2001 16:51:52 -0400
On Mon, 6 Aug 2001, corecode wrote:it could generate the same ip address again in it's PRNG but the chance this happening is near 0.You're saying that the chance it will try a duplicate IP again later is 0? Not quite 0... (1/(254*254))*3/8 + (1/(254*254*254))*4/8 =~ 0.00000584, or 0.000584%. Which means 1 out of about 171,144 generated numbers will be a dupe. I don't know what the average scan rate of this thing is, but if we assume 300 threads at 10 seconds each average to either deliver payload or time out, that's 95 minutes between dupes average. My logs also bear out that dupes are common.
Don't forget the birthday paradox. If the odds of any two generated numbers being the same is 1/171,144, then there are better than 50/50 odds that you will find a duplicate in any selection of ~500 IP addresses generated by the propogating worm. Given 300 threads running, dupes from CRII should be very common. -andy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: CRv2 multiple scans from same source IP, (continued)
- Re: CRv2 multiple scans from same source IP Chris Freeze (Aug 05)
- Re: CRv2 multiple scans from same source IP Chris Freeze (Aug 05)
- RE: CRv2 multiple scans from same source IP Gareth Hastings (Aug 06)
- Re: CRv2 multiple scans from same source IP Paul Gear (Aug 06)
- Re: CRv2 multiple scans from same source IP Valdis . Kletnieks (Aug 05)
- RE: CRv2 multiple scans from same source IP robh (Aug 05)
- Re: CRv2 multiple scans from same source IP corecode (Aug 06)
- Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
- RE: CRv2 multiple scans from same source IP Andrew Cruse (Aug 06)
- Re: CRv2 multiple scans from same source IP Ryan Russell (Aug 06)
- Re: CRv2 multiple scans from same source IP Andy Berkheimer (Aug 06)
- Re: CRv2 multiple scans from same source IP corecode (Aug 07)
- Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
- Re: CRv2 multiple scans from same source IP Bryan Andersen (Aug 06)
- RE: CRv2 multiple scans from same source IP Tim Hollebeek (Aug 06)
- RE: CRv2 multiple scans from same source IP corecode (Aug 06)