Scanning pattern

[Stephen Friedl <friedl () mtndew com>]

I previously posted (and hope a moderator dropped) an incorrect analysis
of the rules for scanning in Code Red II. The target address is a blend
of the current IP address and a random number, with the random factor
being dependeng on yet another random number. There appear to be eight
ways this can go:

1 out of 8: scan any IP address
4 out of 8: scan within the same class A (192.X.Y.Z)
3 out of 8: scan within the same class B (192.168.X.Y)

localhost, multicast, and the local IP are all ignored. Actual algorithm
on my web site.

Steve, who's tired, but not as tired as Ryan and Marc :-)

--- 
Stephen J Friedl | Software Consultant | Tustin, CA |   +1 714 544-6561
www.unixwiz.net  | I speak for me only |   KA8CMY   | steve () unixwiz net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com