tag:blogger.com,1999:blog-37798047.post5720019974435877159..comments2020-10-31T18:15:14.926-04:00Comments on Errata Security: Randomizing port scans, part twoDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-37798047.post-32861714907401533172012-12-01T01:32:11.552-05:002012-12-01T01:32:11.552-05:00I'm not sure if anyone besides Emily the SEO S...I'm not sure if anyone besides Emily the SEO Spammer cares about this issue still, but have you considered Fibonacci hashing? <a href="http://brpreiss.com/books/opus4/html/page214.html" rel="nofollow">Described here</a>, it essentially <i>is</i> LCG, except the multiplier is easily derived from the size of your domain. It's certainly not random, but it picks out an always-evenly-distributed and progressively denser set. I think that's what you wanted?Jesshttps://www.blogger.com/profile/14724970369226999619noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-64328921914813413882012-10-29T16:57:57.233-04:002012-10-29T16:57:57.233-04:00hi :)
thanks for sharing, you have a very nice and...hi :)<br />thanks for sharing, you have a very nice and useful blog.<br />btw, I also have a blog and a web directory, would you like to exchange links? let me know on emily.kovacs14@gmail.comAnonymoushttps://www.blogger.com/profile/11780201676944157502noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-72116242850233750532012-10-29T14:08:10.619-04:002012-10-29T14:08:10.619-04:00Regarding that last comment: that works fine if yo...Regarding that last comment: that works fine if you have a small set. (And even then it's rather inefficient.) It won't work if you have 32 trillion IP-port combinations...martijnhttps://www.blogger.com/profile/03463307000398178175noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-43609356165833754852012-10-29T05:38:27.743-04:002012-10-29T05:38:27.743-04:00You don't search for an obsolut randmonesse. I...You don't search for an obsolut randmonesse. I used some time ago a little trick:<br /><br />Make a table of all values, for example, 100 elements.<br />Choose one, place it on a new table as firstelement. Extract this one.<br />You have now a 99 elements table. Choose one, place it in second place, etc..<br />After 100 rounds, you have a shuffled table of your 100 elements.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-49486751509769674992012-10-28T16:59:12.048-04:002012-10-28T16:59:12.048-04:00You're making this way too complicated, withou...You're making this way too complicated, without defining a threat model. Suppose you want to scan a range of ports from m to n. If you're worried that it's too obvious if you increment by 1, then pick any<br />k < n - m + 1 and relatively prime to n - m + 1 use next(j) = m + (j + k mod n - m + 1). If that's not good enough ... why? Are you worried about an intrusion detector that will notice linear scans? Then why not an intrusion detector that will notice an LCG - the parameters of an LCG can be read out from two consecutive outputs.<br /><br />If you're really concerned about this, there are published algorithms going back years for how to apply an encryption algorithm in order to get a mapping from a specific input range of numbers back to itself. See http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ffsem/ffsem-spec.pdf for an example.<br />Jerrynoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-61735700970409868022012-10-28T15:14:10.377-04:002012-10-28T15:14:10.377-04:00Ryan, XOR doesn't quite work because my ranges...Ryan, XOR doesn't quite work because my ranges aren't powers of 2. In other words, if you XOR something with a number [0..99] you'll get something outside that range.<br /><br />Though, most of the times the lower part of the range is indeed a power of 2. In other words, I might scan 3 Class C networks (a range of 768 addresses). I can therefore use the LCG to determine an index [0..767], and then XOR the lower 8 bits with 0xA3 (a constant pulled out of thing air).<br />Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-55221229376858027712012-10-28T15:06:34.628-04:002012-10-28T15:06:34.628-04:00Thanks Martijn! I didn't realize that a%m appl...Thanks Martijn! I didn't realize that a%m applied, though in hindsight, that's obvious. Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-69338888947461473312012-10-28T07:08:08.272-04:002012-10-28T07:08:08.272-04:00Your second output is very non-random.
Like you c...Your second output is <i>very non-random</i>.<br /><br />Like you can substitute its equivalent mod a for <i>c</i> (i.e. you can use <i>c%m</i> instead of <i>c</i>), the same holds true for <i>a</i>. So instead of <i>a=101</i>, you get the same results if you use <i>a=101%100=1</i>. So your LGM function is <i>x(n+1)=x(n)+79</i>.<br /><br />So the output you get are just the last two digits of the multiples of 79.<br /><br />It's the same problem as you get in your fourth example, with (effectively) <i>m=101</i>, <i>a=1</i> and <i>c=10</i>, except this is more obvious.martijnhttps://www.blogger.com/profile/03463307000398178175noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-2445541109930765912012-10-28T03:34:44.210-04:002012-10-28T03:34:44.210-04:00You can just use XOR, if you're not terribly p...You can just use XOR, if you're not terribly picky about how "random" your random is.Anonymoushttps://www.blogger.com/profile/01938554978113604206noreply@blogger.com