Re: CRv2 multiple scans from same source IP

[Bryan Andersen <bryan () visi com>]

corecode wrote:
> it could generate the same ip address again in it's PRNG but the chance
> this happening is near 0.

Sorry, but it IS generating the same IP addresses again and again.  
I suspect the random number generator combined with the class A and 
B masking is not making a nice uniform number speread.  Many IP 
addresses are hitting my web server multiple times, and there is a 
wide time spacing between many of the duplicate hits.  Some are 
right on top of each other, but others are spaced widely.

These are all the CodeRedII duplicate IP address visits.  They also 
account for 1/4 of all versions visits to my web server and better 
than 65% of the CodeRedII visits.  Notice how some of them are 
clustered closely in time while others are spaced widely.  All of 
these machines are within the same class A as my machine.  They 
account for 1/5 of the addresses that have scanned me from the 
class A I'm in.  Outside my class A I haven't seen a duplicate yet.

x.x.x.70 - - [05/Aug/2001:06:55:01 -0500]
x.x.x.70 - - [05/Aug/2001:17:13:49 -0500]

x.x.x.105 - - [06/Aug/2001:11:28:58 -0500]
x.x.x.105 - - [06/Aug/2001:11:28:58 -0500]
x.x.x.105 - - [06/Aug/2001:11:28:58 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:02 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:08 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:08 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:08 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:08 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:09 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:09 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:11 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:12 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:12 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:13 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:16 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:16 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:17 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:30 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:57 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:57 -0500]
x.x.x.105 - - [06/Aug/2001:11:29:57 -0500]

x.x.x.232 - - [05/Aug/2001:19:39:54 -0500]
x.x.x.232 - - [05/Aug/2001:19:54:19 -0500]
x.x.x.232 - - [05/Aug/2001:22:31:52 -0500]
x.x.x.232 - - [06/Aug/2001:01:53:55 -0500]
x.x.x.232 - - [06/Aug/2001:02:22:11 -0500]
x.x.x.232 - - [06/Aug/2001:04:30:21 -0500]
x.x.x.232 - - [06/Aug/2001:05:20:01 -0500]
x.x.x.232 - - [06/Aug/2001:08:11:48 -0500]
 
x.x.x.34 - - [05/Aug/2001:20:04:00 -0500]
x.x.x.34 - - [05/Aug/2001:20:17:56 -0500]
x.x.x.34 - - [05/Aug/2001:21:14:12 -0500]
x.x.x.34 - - [05/Aug/2001:22:41:04 -0500]
 
x.x.x.204 - - [06/Aug/2001:06:06:05 -0500]
x.x.x.204 - - [06/Aug/2001:08:05:23 -0500]
x.x.x.204 - - [06/Aug/2001:08:19:10 -0500]
x.x.x.204 - - [06/Aug/2001:08:29:12 -0500]
x.x.x.204 - - [06/Aug/2001:08:29:58 -0500]
x.x.x.204 - - [06/Aug/2001:09:26:00 -0500]
x.x.x.204 - - [06/Aug/2001:11:29:49 -0500]
 
x.x.x.194 - - [06/Aug/2001:03:20:37 -0500]
x.x.x.194 - - [06/Aug/2001:03:20:39 -0500]
x.x.x.194 - - [06/Aug/2001:03:21:04 -0500]
x.x.x.194 - - [06/Aug/2001:03:21:25 -0500]
x.x.x.194 - - [06/Aug/2001:03:21:26 -0500]
x.x.x.194 - - [06/Aug/2001:03:21:40 -0500]
x.x.x.194 - - [06/Aug/2001:03:21:48 -0500]
x.x.x.194 - - [06/Aug/2001:03:21:50 -0500]
x.x.x.194 - - [06/Aug/2001:03:21:51 -0500]

-- 
|  Bryan Andersen   |   bryan () visi com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com