corecode wrote: > it could generate the same ip address again in it's PRNG but the chance > this happening is near 0. Sorry, but it IS generating the same IP addresses again and again. I suspect the random number generator combined with the class A and B masking is not making a nice uniform number speread. Many IP addresses are hitting my web server multiple times, and there is a wide time spacing between many of the duplicate hits. Some are right on top of each other, but others are spaced widely. These are all the CodeRedII duplicate IP address visits. They also account for 1/4 of all versions visits to my web server and better than 65% of the CodeRedII visits. Notice how some of them are clustered closely in time while others are spaced widely. All of these machines are within the same class A as my machine. They account for 1/5 of the addresses that have scanned me from the class A I'm in. Outside my class A I haven't seen a duplicate yet. x.x.x.70 - - [05/Aug/2001:06:55:01 -0500] x.x.x.70 - - [05/Aug/2001:17:13:49 -0500] x.x.x.105 - - [06/Aug/2001:11:28:58 -0500] x.x.x.105 - - [06/Aug/2001:11:28:58 -0500] x.x.x.105 - - [06/Aug/2001:11:28:58 -0500] x.x.x.105 - - [06/Aug/2001:11:29:02 -0500] x.x.x.105 - - [06/Aug/2001:11:29:08 -0500] x.x.x.105 - - [06/Aug/2001:11:29:08 -0500] x.x.x.105 - - [06/Aug/2001:11:29:08 -0500] x.x.x.105 - - [06/Aug/2001:11:29:08 -0500] x.x.x.105 - - [06/Aug/2001:11:29:09 -0500] x.x.x.105 - - [06/Aug/2001:11:29:09 -0500] x.x.x.105 - - [06/Aug/2001:11:29:11 -0500] x.x.x.105 - - [06/Aug/2001:11:29:12 -0500] x.x.x.105 - - [06/Aug/2001:11:29:12 -0500] x.x.x.105 - - [06/Aug/2001:11:29:13 -0500] x.x.x.105 - - [06/Aug/2001:11:29:16 -0500] x.x.x.105 - - [06/Aug/2001:11:29:16 -0500] x.x.x.105 - - [06/Aug/2001:11:29:17 -0500] x.x.x.105 - - [06/Aug/2001:11:29:30 -0500] x.x.x.105 - - [06/Aug/2001:11:29:57 -0500] x.x.x.105 - - [06/Aug/2001:11:29:57 -0500] x.x.x.105 - - [06/Aug/2001:11:29:57 -0500] x.x.x.232 - - [05/Aug/2001:19:39:54 -0500] x.x.x.232 - - [05/Aug/2001:19:54:19 -0500] x.x.x.232 - - [05/Aug/2001:22:31:52 -0500] x.x.x.232 - - [06/Aug/2001:01:53:55 -0500] x.x.x.232 - - [06/Aug/2001:02:22:11 -0500] x.x.x.232 - - [06/Aug/2001:04:30:21 -0500] x.x.x.232 - - [06/Aug/2001:05:20:01 -0500] x.x.x.232 - - [06/Aug/2001:08:11:48 -0500] x.x.x.34 - - [05/Aug/2001:20:04:00 -0500] x.x.x.34 - - [05/Aug/2001:20:17:56 -0500] x.x.x.34 - - [05/Aug/2001:21:14:12 -0500] x.x.x.34 - - [05/Aug/2001:22:41:04 -0500] x.x.x.204 - - [06/Aug/2001:06:06:05 -0500] x.x.x.204 - - [06/Aug/2001:08:05:23 -0500] x.x.x.204 - - [06/Aug/2001:08:19:10 -0500] x.x.x.204 - - [06/Aug/2001:08:29:12 -0500] x.x.x.204 - - [06/Aug/2001:08:29:58 -0500] x.x.x.204 - - [06/Aug/2001:09:26:00 -0500] x.x.x.204 - - [06/Aug/2001:11:29:49 -0500] x.x.x.194 - - [06/Aug/2001:03:20:37 -0500] x.x.x.194 - - [06/Aug/2001:03:20:39 -0500] x.x.x.194 - - [06/Aug/2001:03:21:04 -0500] x.x.x.194 - - [06/Aug/2001:03:21:25 -0500] x.x.x.194 - - [06/Aug/2001:03:21:26 -0500] x.x.x.194 - - [06/Aug/2001:03:21:40 -0500] x.x.x.194 - - [06/Aug/2001:03:21:48 -0500] x.x.x.194 - - [06/Aug/2001:03:21:50 -0500] x.x.x.194 - - [06/Aug/2001:03:21:51 -0500] -- | Bryan Andersen | bryanat_private | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 13:23:12 PDT