wg-multicast - RE: MSDP Storm
Subject: All things related to multicast
List archive
- From: Greg Shepherd <>
- To: Kevin Thompson <>
- Cc: Bill Owens <>, , Greg Shepherd <>, zaid <>, Matthew Davy <>, Philip Pishioneri <>, , mbone mail list <>, , , Al Adler <>
- Subject: RE: MSDP Storm
- Date: Wed, 17 Jan 2001 14:10:23 -0800 (PST)
The scan sweeps across the class D address range, which is seen as a
source by the first-hop router, which registers the packets to the RP,
which sends an SA.
Greg
On Wed, 17 Jan 2001, Kevin Thompson wrote:
> if true, how does the scan result in the sa explosion - is the scan traffic
> coming in on a PIM-DM interface on a router configured w/ proxy-register on
> the edge of a PIM-SM domain?
>
> kevin
>
> > -----Original Message-----
> > From:
> >
> > [mailto:]On
> > Behalf Of Bill Owens
> > Sent: Wednesday, January 17, 2001 4:53 PM
> > To:
> > ;
> > Greg Shepherd
> > Cc: zaid; Matthew Davy; Philip Pishioneri;
> > ;
> > mbone mail list;
> > ;
> >
> > ;
> > Al Adler
> > Subject: Re: MSDP Storm
> >
> >
> > At 16:24 -0500 1/17/01, Marshall Eubanks wrote:
> > >Greg et al;
> > >
> > > We had a real MSDP storm today from UMASS / 5 College - at one
> > >point AS 1249 was reporting ~15,000 (S,G). Here are
> > >a few
> > >
> > >. . .
> > >As you can see, the G are sequential and the S is assigned to UMass.
> > >Any idea what this
> > >could be ?
> >
> > Looking briefly at the machine, it is a RedHat 6.2 box with lots of
> > services running, including a vulnerable wu-ftpd:
> >
> > Connected to 128.119.240.205.
> > 220 localhost.localdomain FTP server (Version wu-2.6.0(1) Mon Feb 28
> > 10:30:36 EST 2000) ready.
> >
> > My guess is that it was rooted by the so-called ramen worm, which has
> > been seen in the wild for the first time in the last few days. It
> > uses a program called synscan to look for vulnerable wu-ftpd servers
> > to infect. That jives with Mark Fullmer's observation that an earlier
> > storm source was an FTP scanner. That other machine is now off the
> > air, but I'm willing to bet that it was also a RedHat 6.2 or 7.0 box
> > with a vulnerable wu-ftpd.
> >
> > I posted a note to one of the mailing lists that is discussing the
> > ramen worm, to see if someone who has it in captivity can confirm
> > that it scans the multicast address space.
> >
> > Bill.
> >
> > PS - the scanner noted above is now off the air too. . .
> >
> >
>
>
- Re: Norton Ghost Re: MSDP instability today, zaid, 01/16/2001
- Re: Norton Ghost Re: MSDP instability today, Greg Shepherd, 01/16/2001
- Re: Norton Ghost Re: MSDP instability today, Matthew Davy, 01/16/2001
- Re: Norton Ghost Re: MSDP instability today, Marshall Eubanks, 01/16/2001
- Re: Norton Ghost Re: MSDP instability today, Greg Shepherd, 01/16/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, Bill Owens, 01/17/2001
- RE: MSDP Storm, Kevin Thompson, 01/17/2001
- RE: MSDP Storm, Greg Shepherd, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, José Domínguez, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, Marty Hoag, 01/17/2001
- RE: MSDP Storm, Bill Owens, 01/17/2001
- RE: MSDP Storm, Bill Nickless, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, Bill Nickless, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- Re: MSDP Storm, Bill Nickless, 01/17/2001
- Re: MSDP Storm, Marshall Eubanks, 01/17/2001
- RE: MSDP Storm, Greg Shepherd, 01/17/2001
- RE: MSDP Storm, Kevin Thompson, 01/17/2001
- Re: MSDP Storm, Bill Owens, 01/17/2001
- Re: Norton Ghost Re: MSDP instability today, Greg Shepherd, 01/16/2001
Archive powered by MHonArc 2.6.16.