>On Mon, 6 Aug 2001, corecode wrote: > >> it could generate the same ip address again in it's PRNG but the chance >> this happening is near 0. > >You're saying that the chance it will try a duplicate IP again later is 0? >Not quite 0... > >(1/(254*254))*3/8 + (1/(254*254*254))*4/8 =~ 0.00000584, or 0.000584%. >Which means 1 out of about 171,144 generated numbers will be a dupe. I >don't know what the average scan rate of this thing is, but if we assume >300 threads at 10 seconds each average to either deliver payload or time >out, that's 95 minutes between dupes average. > >My logs also bear out that dupes are common. Don't forget the birthday paradox. If the odds of any two generated numbers being the same is 1/171,144, then there are better than 50/50 odds that you will find a duplicate in any selection of ~500 IP addresses generated by the propogating worm. Given 300 threads running, dupes from CRII should be very common. -andy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 14:28:06 PDT