Security Incidents mailing list archives
Re: CRv2 multiple scans from same source IP
From: Bryan Andersen <bryan () visi com>
Date: Mon, 06 Aug 2001 14:33:04 -0500
corecode wrote:
it could generate the same ip address again in it's PRNG but the chance this happening is near 0.
Sorry, but it IS generating the same IP addresses again and again. I suspect the random number generator combined with the class A and B masking is not making a nice uniform number speread. Many IP addresses are hitting my web server multiple times, and there is a wide time spacing between many of the duplicate hits. Some are right on top of each other, but others are spaced widely. These are all the CodeRedII duplicate IP address visits. They also account for 1/4 of all versions visits to my web server and better than 65% of the CodeRedII visits. Notice how some of them are clustered closely in time while others are spaced widely. All of these machines are within the same class A as my machine. They account for 1/5 of the addresses that have scanned me from the class A I'm in. Outside my class A I haven't seen a duplicate yet. x.x.x.70 - - [05/Aug/2001:06:55:01 -0500] x.x.x.70 - - [05/Aug/2001:17:13:49 -0500] x.x.x.105 - - [06/Aug/2001:11:28:58 -0500] x.x.x.105 - - [06/Aug/2001:11:28:58 -0500] x.x.x.105 - - [06/Aug/2001:11:28:58 -0500] x.x.x.105 - - [06/Aug/2001:11:29:02 -0500] x.x.x.105 - - [06/Aug/2001:11:29:08 -0500] x.x.x.105 - - [06/Aug/2001:11:29:08 -0500] x.x.x.105 - - [06/Aug/2001:11:29:08 -0500] x.x.x.105 - - [06/Aug/2001:11:29:08 -0500] x.x.x.105 - - [06/Aug/2001:11:29:09 -0500] x.x.x.105 - - [06/Aug/2001:11:29:09 -0500] x.x.x.105 - - [06/Aug/2001:11:29:11 -0500] x.x.x.105 - - [06/Aug/2001:11:29:12 -0500] x.x.x.105 - - [06/Aug/2001:11:29:12 -0500] x.x.x.105 - - [06/Aug/2001:11:29:13 -0500] x.x.x.105 - - [06/Aug/2001:11:29:16 -0500] x.x.x.105 - - [06/Aug/2001:11:29:16 -0500] x.x.x.105 - - [06/Aug/2001:11:29:17 -0500] x.x.x.105 - - [06/Aug/2001:11:29:30 -0500] x.x.x.105 - - [06/Aug/2001:11:29:57 -0500] x.x.x.105 - - [06/Aug/2001:11:29:57 -0500] x.x.x.105 - - [06/Aug/2001:11:29:57 -0500] x.x.x.232 - - [05/Aug/2001:19:39:54 -0500] x.x.x.232 - - [05/Aug/2001:19:54:19 -0500] x.x.x.232 - - [05/Aug/2001:22:31:52 -0500] x.x.x.232 - - [06/Aug/2001:01:53:55 -0500] x.x.x.232 - - [06/Aug/2001:02:22:11 -0500] x.x.x.232 - - [06/Aug/2001:04:30:21 -0500] x.x.x.232 - - [06/Aug/2001:05:20:01 -0500] x.x.x.232 - - [06/Aug/2001:08:11:48 -0500] x.x.x.34 - - [05/Aug/2001:20:04:00 -0500] x.x.x.34 - - [05/Aug/2001:20:17:56 -0500] x.x.x.34 - - [05/Aug/2001:21:14:12 -0500] x.x.x.34 - - [05/Aug/2001:22:41:04 -0500] x.x.x.204 - - [06/Aug/2001:06:06:05 -0500] x.x.x.204 - - [06/Aug/2001:08:05:23 -0500] x.x.x.204 - - [06/Aug/2001:08:19:10 -0500] x.x.x.204 - - [06/Aug/2001:08:29:12 -0500] x.x.x.204 - - [06/Aug/2001:08:29:58 -0500] x.x.x.204 - - [06/Aug/2001:09:26:00 -0500] x.x.x.204 - - [06/Aug/2001:11:29:49 -0500] x.x.x.194 - - [06/Aug/2001:03:20:37 -0500] x.x.x.194 - - [06/Aug/2001:03:20:39 -0500] x.x.x.194 - - [06/Aug/2001:03:21:04 -0500] x.x.x.194 - - [06/Aug/2001:03:21:25 -0500] x.x.x.194 - - [06/Aug/2001:03:21:26 -0500] x.x.x.194 - - [06/Aug/2001:03:21:40 -0500] x.x.x.194 - - [06/Aug/2001:03:21:48 -0500] x.x.x.194 - - [06/Aug/2001:03:21:50 -0500] x.x.x.194 - - [06/Aug/2001:03:21:51 -0500] -- | Bryan Andersen | bryan () visi com | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: CRv2 multiple scans from same source IP, (continued)
- RE: CRv2 multiple scans from same source IP Gareth Hastings (Aug 06)
- Re: CRv2 multiple scans from same source IP Paul Gear (Aug 06)
- Re: CRv2 multiple scans from same source IP Valdis . Kletnieks (Aug 05)
- RE: CRv2 multiple scans from same source IP robh (Aug 05)
- Re: CRv2 multiple scans from same source IP corecode (Aug 06)
- Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
- RE: CRv2 multiple scans from same source IP Andrew Cruse (Aug 06)
- Re: CRv2 multiple scans from same source IP Ryan Russell (Aug 06)
- Re: CRv2 multiple scans from same source IP Andy Berkheimer (Aug 06)
- Re: CRv2 multiple scans from same source IP corecode (Aug 07)
- Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
- Re: CRv2 multiple scans from same source IP Bryan Andersen (Aug 06)
- RE: CRv2 multiple scans from same source IP Tim Hollebeek (Aug 06)
- RE: CRv2 multiple scans from same source IP corecode (Aug 06)