Intrusion Detection Systems mailing list archives

Determining when something is NOT random

From: Lance Spitzner <lance () spitzner net>
Date: Sun, 23 Jul 2000 23:12:55 -0500 (CDT)

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Are there any tools/techniques to determining when something
is NOT random.

For example, I have a system that was hit with ICMP_ECHO 
packets from 47 systems within two hours.  Based on the
packets, I can determine that the same tool was used
to generate them.  What I want to determine is if the 47
source systems were randomly generated by the tool (as 
often done by Syn Flooding tools) or if the 47 systems 
involved were not randomly generated.  If the 47 Src systems 
were NOT randomly gerenerated, this may indicate that all 47
systems are actuall systems used in the 'attack'.

Any tool that can take a list of IP addresses and determine
if they are random or not?

Thanks!

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

Current thread:

Determining when something is NOT random Lance Spitzner (Jul 24)
- Re: Determining when something is NOT random Joshua Stein (Jul 24)
- RE: Determining when something is NOT random Bill Royds (Jul 25)
- <Possible follow-ups>
- RE: Determining when something is NOT random Martins, Fernando (Lisbon) (Jul 24)
- Re: Determining when something is NOT random Robert Graham (Jul 25)
- RE: Determining when something is NOT random Meritt, Jim (Jul 25)
- RE: RE: Determining when something is NOT random Max Kilger (Jul 25)
- RE: Determining when something is NOT random Bill Royds (Jul 26)