Re: CRv2 multiple scans from same source IP

• Previous message: Paul Cardon: "Re: Worm Attack Rate"
• In reply to: corecode: "Re: CRv2 multiple scans from same source IP"
• Next in thread: Andy Berkheimer: "Re: CRv2 multiple scans from same source IP"
• Next in thread: Bryan Andersen: "Re: CRv2 multiple scans from same source IP"
• Reply: Andy Berkheimer: "Re: CRv2 multiple scans from same source IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 6 Aug 2001, corecode wrote:

> it could generate the same ip address again in it's PRNG but the chance
> this happening is near 0.

You're saying that the chance it will try a duplicate IP again later is 0?
Not quite 0...

(1/(254*254))*3/8 + (1/(254*254*254))*4/8 =~ 0.00000584, or 0.000584%.
Which means 1 out of about 171,144 generated numbers will be a dupe.  I
don't know what the average scan rate of this thing is, but if we assume
300 threads at 10 seconds each average to either deliver payload or time
out,  that's 95 minutes between dupes average.

My logs also bear out that dupes are common.

					Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Mark Challender: "Was RE: disinfection tool -- now a minor rant."
• Previous message: Paul Cardon: "Re: Worm Attack Rate"
• In reply to: corecode: "Re: CRv2 multiple scans from same source IP"
• Next in thread: Andy Berkheimer: "Re: CRv2 multiple scans from same source IP"
• Next in thread: Bryan Andersen: "Re: CRv2 multiple scans from same source IP"
• Reply: Andy Berkheimer: "Re: CRv2 multiple scans from same source IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 13:10:07 PDT