Re: CRv2 multiple scans from same source IP

[Ryan Russell <ryan () securityfocus com>]

On Mon, 6 Aug 2001, corecode wrote:

> it could generate the same ip address again in it's PRNG but the chance
> this happening is near 0.

You're saying that the chance it will try a duplicate IP again later is 0?
Not quite 0...

(1/(254*254))*3/8 + (1/(254*254*254))*4/8 =~ 0.00000584, or 0.000584%.
Which means 1 out of about 171,144 generated numbers will be a dupe.  I
don't know what the average scan rate of this thing is, but if we assume
300 threads at 10 seconds each average to either deliver payload or time
out,  that's 95 minutes between dupes average.

My logs also bear out that dupes are common.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com