All things related to multicast

["Kevin Thompson" <>]

if true, how does the scan result in the sa explosion - is the scan traffic
coming in on a PIM-DM interface on a router configured w/ proxy-register on
the edge of a PIM-SM domain?

kevin

> -----Original Message-----
> From: 
> 
> [mailto:]On
>  Behalf Of Bill Owens
> Sent: Wednesday, January 17, 2001 4:53 PM
> To: 
> ;
>  Greg Shepherd
> Cc: zaid; Matthew Davy; Philip Pishioneri; 
> ;
> mbone mail list; 
> ;
>  
> ;
>  Al Adler
> Subject: Re: MSDP Storm
>
>
> At 16:24 -0500 1/17/01, Marshall Eubanks wrote:
> >Greg et al;
> >
> >    We had a real MSDP storm today from UMASS / 5 College - at one
> >point AS 1249 was reporting ~15,000 (S,G). Here are
> >a few
> >
> >. . .
> >As you can see, the G are sequential and the S is assigned to UMass.
> >Any idea what this
> >could be ?
>
> Looking briefly at the machine, it is a RedHat 6.2 box with lots of
> services running, including a vulnerable wu-ftpd:
>
> Connected to 128.119.240.205.
> 220 localhost.localdomain FTP server (Version wu-2.6.0(1) Mon Feb 28
> 10:30:36 EST 2000) ready.
>
> My guess is that it was rooted by the so-called ramen worm, which has
> been seen in the wild for the first time in the last few days. It
> uses a program called synscan to look for vulnerable wu-ftpd servers
> to infect. That jives with Mark Fullmer's observation that an earlier
> storm source was an FTP scanner. That other machine is now off the
> air, but I'm willing to bet that it was also a RedHat 6.2 or 7.0 box
> with a vulnerable wu-ftpd.
>
> I posted a note to one of the mailing lists that is discussing the
> ramen worm, to see if someone who has it in captivity can confirm
> that it scans the multicast address space.
>
> Bill.
>
> PS - the scanner noted above is now off the air too. . .
>
>