Thus spake "Donald Stahl" <[EMAIL PROTECTED]>
I'm not sure I understand what you are saying- if you number
based on hardware addresses then I have no idea what you
mean by "address ranges." The hosts you are trying to
compromise could be anywhere in the subnet- that's the 3500
years I was referring to above. That's 3500 years to scan a
single /64 subnet- not the entire Internet- not even a tiny little
fraction of it.
If people use stateless autoconfig, you know what 16 of the bits are, and
you can guess 24 of them from a relatively small set. If you're writing a
worm that targets residential Wintel users, just scan the OUIs from Dell,
HP, etc. Throw in Lenovo if you want to go after business folks. Looking
at it another way, you can toss out OUIs from vendors whose gear you know
your worm _doesn't_ work on (e.g. Apple, embedded manufacturers, etc.) or
only include OUIs for vendors you want to make look bad (e.g. Dell might
write a worm that only probes HP machines).
(This is also mentioned in the draft Dale referenced, but I came up with it
independently in a few seconds, so I think it falls in the "obvious"
category for someone with the sk1llz needed to write a worm.)
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov