stephen at sprunk.org
Wed May 30 23:39:23 UTC 2007
Thus spake "Donald Stahl" <don at calis.blacksun.org>
> I'm not sure I understand what you are saying- if you number
> based on hardware addresses then I have no idea what you
> mean by "address ranges." The hosts you are trying to
> compromise could be anywhere in the subnet- that's the 3500
> years I was referring to above. That's 3500 years to scan a
> single /64 subnet- not the entire Internet- not even a tiny little
> fraction of it.
If people use stateless autoconfig, you know what 16 of the bits are, and
you can guess 24 of them from a relatively small set. If you're writing a
worm that targets residential Wintel users, just scan the OUIs from Dell,
HP, etc. Throw in Lenovo if you want to go after business folks. Looking
at it another way, you can toss out OUIs from vendors whose gear you know
your worm _doesn't_ work on (e.g. Apple, embedded manufacturers, etc.) or
only include OUIs for vendors you want to make look bad (e.g. Dell might
write a worm that only probes HP machines).
(This is also mentioned in the draft Dale referenced, but I came up with it
independently in a few seconds, so I think it falls in the "obvious"
category for someone with the sk1llz needed to write a worm.)
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
More information about the NANOG