[Dshield] dshield reports
jsage at finchhaven.com
Sun Jun 23 17:31:59 GMT 2002
On Sun, Jun 23, 2002 at 11:42:25AM -0400, Lauro, John wrote:
> -----Original Message-----
> From: John Sage [mailto:jsage at finchhaven.com]
> Sent: Sunday, June 23, 2002 1:26 AM
> To: list at dshield.org
> Subject: Re: [Dshield] dshield reports
> In summary:
> > Source Sources Targets Reports
> > 141/8 7682 231768 303834
> > 141/210/16 68 275 572
> > 141.210.181/24 1 64276 120344
> I understand what the / notation means... Are you saying the /16 is
> some sort of average, and the /24 a total? It's not the number of
> sources I was wondering about, but the low mumbers for the targets and
> reports for /16 compared to the more specific /24...
Let's see: what did I mean :-/
They're _all_ totals.
What I meant was that as one moves from /8 to /16 to /24 using CIDR
notation the greatest number of probing hosts becomes smaller and
So that if you're looking at 184.108.40.206/8 you're talking about 16
million possible hosts; if you're looking at 220.127.116.11/24, you're only
going to see at most probes from a maximum of 254 hosts.
Thus it's expected that as you move from /8 to /16 to /24, the
quantities of source IP's must become fewer.
Having said all that, I see what you're talking about, I think.
One would expect a rather coherent progression from the targets shown
for any given /8 down to the quantity shown for the /16 down to the
quantity shown for the /24...
And we're not.
We're seeing a great drop in targets at the /16 and then, somehow, a
spike for one specific /24, which should only be a small part of the
possible /24's contained in the /16
Is that it?
I don't have a clue as to what's going on here...
"You are in a different maze of little passages, all twisty."
PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
More information about the list