wg-multicast - Re: MSDP instability today
Subject: All things related to multicast
List archive
- From: Mark Fullmer <>
- To: Bill Fenner <>,
- Cc:
- Subject: Re: MSDP instability today
- Date: Mon, 15 Jan 2001 13:59:34 -0500
164.107.148.136 is scanning for FTP servers.
srcIP dstIP prot srcPort dstPort octets packets
164.107.148.136 85.140.239.124 6 21 21 40 1
164.107.148.136 85.140.239.125 6 21 21 40 1
164.107.148.136 85.140.239.126 6 21 21 40 1
164.107.148.136 85.140.239.127 6 21 21 40 1
...
% flow-cat cf05.2001-01-15.* | flow-filter -Sattack | flow-stat -f8 | wc -l
1943782
They hit about 2 million destinations since midnight. The scanning tool
probably fell into the multicast range.
I'll get someone at OSU will blackhole 164.107.148.136. It's not currently
scanning multicast addresses.
On Mon, Jan 15, 2001 at 01:03:26PM -0500, Matthew Davy wrote:
>
> Yep, shutting down the MSDP session with NCSA didn't help the problem. We
> were just hit again. This is what my MSDP speaker saw before it's MSDP
> session to the router reset...
>
> # of SA's RP Address
> 29161 164.107.2.6
> 12117 164.107.2.6 (with encap data)
> 10561 206.190.40.61
> 2832 204.69.199.17
> 2712 130.240.22.190
> 1580 144.232.187.198
> 1250 198.32.163.248
> 1128 193.166.5.252
> 1080 192.135.250.116
> 776 128.210.242.22
> 678 198.10.80.1
> 549 171.64.0.24
> 518 128.39.0.84
> 480 130.235.72.186
>
>
> Once the storm started, all of the SA's from 164.107.2.6 were for addresses
> in the 233.140.x.y range...
>
> -------------------------------------------------------------------------------
> Time Group Source RP
> -------------------------------------------------------------------------------
> 12:06:08.460033 233.140.0.1 164.107.148.136 164.107.2.6 (with
> encap data)
> 12:06:08.637338 233.140.0.2 164.107.148.136 164.107.2.6 (with encap
> data)
> 12:06:08.840804 233.140.0.3 164.107.148.136 164.107.2.6 (with encap
> data)
> 12:06:08.892937 233.140.0.4 164.107.148.136 164.107.2.6 (with encap
> data)
> 12:06:09.062941 233.140.0.5 164.107.148.136 164.107.2.6 (with encap
> data)
> 12:06:09.250321 233.140.0.6 164.107.148.136 164.107.2.6 (with encap
> data)
> 12:06:09.280328 233.140.0.7 164.107.148.136 164.107.2.6 (with encap
> data)
> 12:06:09.280328 233.140.0.8 164.107.148.136 164.107.2.6 (with encap
> data)
> 12:06:09.303337 233.140.0.9 164.107.148.136 164.107.2.6 (with encap
> data)
> 12:06:09.493711 233.140.0.10 164.107.148.136 164.107.2.6 (with encap
> data)
>
>
> This is very similiar to what I saw yesterday from NCSA (141.142.12.1)
> except
> with different address ranges....
>
>
> <first incident used 235.244.x.y>
> 01:17:44.587246 235.244.0.103 141.142.20.199 141.142.12.1 (with encap
> data)
> 01:17:44.650069 235.244.0.105 141.142.20.199 141.142.12.1 (with encap
> data)
> 01:17:44.754484 235.244.0.106 141.142.20.199 141.142.12.1 (with encap
> data)
> 01:17:44.807276 235.244.0.107 141.142.20.199 141.142.12.1 (with encap
> data)
> 01:17:44.807276 235.244.0.108 141.142.20.199 141.142.12.1 (with encap
> data)
> 01:17:44.807276 235.244.0.109 141.142.20.199 141.142.12.1 (with encap
> data)
> 01:17:44.807276 235.244.0.110 141.142.20.199 141.142.12.1 (with encap
> data)
>
> <second incident used 237.75.x.y >
> 12:02:00.788692 237.75.44.29 141.142.20.168 141.142.12.1
> 12:02:00.855210 237.75.20.189 141.142.20.168 141.142.12.1
> 12:02:00.855210 237.75.20.248 141.142.20.168 141.142.12.1
> 12:02:00.855210 237.75.20.233 141.142.20.168 141.142.12.1
> 12:02:00.855210 237.75.9.79 141.142.20.168 141.142.12.1
> 12:02:00.855210 237.75.32.159 141.142.20.168 141.142.12.1
> 12:02:00.855210 237.75.9.45 141.142.20.168 141.142.12.1
> 12:02:00.855210 237.75.9.121 141.142.20.168 141.142.12.1
> 12:02:00.855210 237.75.44.30 141.142.20.168 141.142.12.1
>
>
> In the latest incident, 4 SA's were sent for every group address between
> 233.140.0.0 and 234.140.57.99.
>
>
> - Matt
>
>
>
> On Mon, Jan 15, 2001 at 09:33:46AM -0800, Bill Fenner wrote:
> >
> > >Actually, I believe the router originating the problem is a Juniper.
> >
> > Careful about assigning blame based on the SA's seen -- the problem
> > is somewhere between you and the originator, but is not necessarily
> > at the origin router. (Admittedly, the only MSDP SA loop I've seen
> > for myself involved the origin router, but that's not a requirement)
> >
> > Bill
> >
>
> --
> --------------------
> Matthew Davy
>
>
> 812-855-7728
> Network Engineer
> Indiana University
> Abilene NOC
> --------------------
- Re: MSDP instability today, (continued)
- Re: MSDP instability today, Al Adler, 01/15/2001
- Re: MSDP instability today, Matthew Davy, 01/15/2001
- Re: MSDP instability today, Matthew Davy, 01/15/2001
- Norton Ghost Re: MSDP instability today, Philip Pishioneri, 01/15/2001
- Re: Norton Ghost Re: MSDP instability today, Matthew Davy, 01/16/2001
- Re: MSDP instability today, Matthew Davy, 01/15/2001
- Re: MSDP instability today, Bill Fenner, 01/15/2001
- Re: MSDP instability today, Matthew Davy, 01/15/2001
- Re: MSDP instability today, Bill Fenner, 01/15/2001
- Re: MSDP instability today, David Meyer, 01/14/2001
Archive powered by MHonArc 2.6.16.