Re: CRv2 multiple scans from same source IP
From: Andy Berkheimer (andy@tho.org)Date: 08/06/01
- Previous message: rl: "Symantec Report"
- In reply to: Ryan Russell: "Re: CRv2 multiple scans from same source IP"
- Next in thread: corecode: "Re: CRv2 multiple scans from same source IP"
- Next in thread: Bryan Andersen: "Re: CRv2 multiple scans from same source IP"
- Reply: corecode: "Re: CRv2 multiple scans from same source IP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200108062051.f76Kprc16964@bombshell.tho.org> To: Ryan Russell <ryan@securityfocus.com> Subject: Re: CRv2 multiple scans from same source IP From: Andy Berkheimer <andy@tho.org> Date: Mon, 06 Aug 2001 16:51:52 -0400
>On Mon, 6 Aug 2001, corecode wrote:
>
>> it could generate the same ip address again in it's PRNG but the chance
>> this happening is near 0.
>
>You're saying that the chance it will try a duplicate IP again later is 0?
>Not quite 0...
>
>(1/(254*254))*3/8 + (1/(254*254*254))*4/8 =~ 0.00000584, or 0.000584%.
>Which means 1 out of about 171,144 generated numbers will be a dupe. I
>don't know what the average scan rate of this thing is, but if we assume
>300 threads at 10 seconds each average to either deliver payload or time
>out, that's 95 minutes between dupes average.
>
>My logs also bear out that dupes are common.
Don't forget the birthday paradox.
If the odds of any two generated numbers being the same is 1/171,144,
then there are better than 50/50 odds that you will find a duplicate
in any selection of ~500 IP addresses generated by the propogating worm.
Given 300 threads running, dupes from CRII should be very common.
-andy
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: rl: "Symantec Report"
- In reply to: Ryan Russell: "Re: CRv2 multiple scans from same source IP"
- Next in thread: corecode: "Re: CRv2 multiple scans from same source IP"
- Next in thread: Bryan Andersen: "Re: CRv2 multiple scans from same source IP"
- Reply: corecode: "Re: CRv2 multiple scans from same source IP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
