Thus spake "Donald Stahl" <don@calis.blacksun.org>
I'm not sure I understand what you are saying- if you number based on hardware addresses then I have no idea what you mean by "address ranges." The hosts you are trying to compromise could be anywhere in the subnet- that's the 3500 years I was referring to above. That's 3500 years to scan a single /64 subnet- not the entire Internet- not even a tiny little fraction of it.
If people use stateless autoconfig, you know what 16 of the bits are, and you can guess 24 of them from a relatively small set. If you're writing a worm that targets residential Wintel users, just scan the OUIs from Dell, HP, etc. Throw in Lenovo if you want to go after business folks. Looking at it another way, you can toss out OUIs from vendors whose gear you know your worm _doesn't_ work on (e.g. Apple, embedded manufacturers, etc.) or only include OUIs for vendors you want to make look bad (e.g. Dell might write a worm that only probes HP machines). (This is also mentioned in the draft Dale referenced, but I came up with it independently in a few seconds, so I think it falls in the "obvious" category for someone with the sk1llz needed to write a worm.) S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov