[55285] in North American Network Operators' Group
Re: management interface accessability (was Re: Worm / UDP1434)
daemon@ATHENA.MIT.EDU (Chris Lloyd)
Sun Jan 26 14:07:25 2003
Date: Sun, 26 Jan 2003 19:06:50 +0000
From: Chris Lloyd <strawberry@toth.org.uk>
To: NANOG <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.21.0301261849340.24711-100000@MrServer>; from steve@telecomplete.co.uk on Sun, Jan 26, 2003 at 06:50:36PM +0000
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, Jan 26, 2003 at 06:50:36PM +0000, Stephen J. Wilcox wrote:
> My observation was that the target IPs are not random and that local IPs were
> hit more often (same /16 more than /8 more than all /0) .. a la Codered.
The worm calls gettickcount to get a pseudorandom seed, and always uses that
seed to create random addresses. It's possible the random address generator
isn't very good and creates addresses that are too similar.
Check out
http://www.eeye.com/html/Research/Flash/AL20030125.html
- Chris
--
strawberry@toth.org.uk
http://www.toth.org.uk/~strawberry
