[Dshield] Suggestion to take the ISC Storm Alert to "Orange"

Jeff Kell jeff-kell at utc.edu
Wed Aug 17 01:42:52 GMT 2005


Kevin wrote:
> On 8/15/05, womber <womber at gmail.com> wrote:
> 
>>How is this determining what IP ranges to scan?
>>Just from what I have seen hitting my personal firewall on verizon
>>dsl, is that most machines are verizon IP's, very few outside their
>>range yet.
>>I am wondering if the spread to different ranges is pretty slow due to
>>the algorithm it is using?
> 
> I have similar questions, and would like to see an analysis of the most
> common variants, or just the random number generators in each.

Most scanners these days stick to the infected host's /16, or at least /8 range, in hopes of whacking internal networks once they get a foot in the door.  The source IPs of ratware traffic I receive generally cluster around the target's /16 or /8, hardly a coincidence.

If they are random but not tuned, you'll get hits directed to bogon addresses (and/or sourced from them if spoofing), and if they try multicast (like Slammer did) they attract attention pretty quickly if you support multicast routing :-)

Jeff


More information about the list mailing list