All things related to multicast

[Marshall Eubanks <>]

Greg Shepherd wrote:

> The scan sweeps across the class D address range, which is seen as a
> source by the first-hop router, which registers the packets to the RP,
> which sends an SA.
>
> Greg
>
> On Wed, 17 Jan 2001, Kevin Thompson wrote:
>
> > if true, how does the scan result in the sa explosion - is the scan 
> > traffic
> > coming in on a PIM-DM interface on a router configured w/ proxy-register 
> > on
> > the edge of a PIM-SM domain?
> >
> > kevin
> >
> > > -----Original Message-----
> > > From: 
> > > 
> > > [mailto:]On
> > >  Behalf Of Bill Owens
> > > Sent: Wednesday, January 17, 2001 4:53 PM
> > > To: 
> > > ;
> > >  Greg Shepherd
> > > Cc: zaid; Matthew Davy; Philip Pishioneri; 
> > > ;
> > > mbone mail list; 
> > > ;
> > >  
> > > ;
> > >  Al Adler
> > > Subject: Re: MSDP Storm
> > >
> > >
> > > At 16:24 -0500 1/17/01, Marshall Eubanks wrote:
> > > >Greg et al;
> > > >
> > > >    We had a real MSDP storm today from UMASS / 5 College - at one
> > > >point AS 1249 was reporting ~15,000 (S,G). Here are
> > > >a few
> > > >
> > > >. . .
> > > >As you can see, the G are sequential and the S is assigned to UMass.
> > > >Any idea what this
> > > >could be ?
> > >
> > > Looking briefly at the machine, it is a RedHat 6.2 box with lots of
> > > services running, including a vulnerable wu-ftpd:
> > >
> > > Connected to 128.119.240.205.
> > > 220 localhost.localdomain FTP server (Version wu-2.6.0(1) Mon Feb 28
> > > 10:30:36 EST 2000) ready.
> > >
> > > My guess is that it was rooted by the so-called ramen worm, which has
> > > been seen in the wild for the first time in the last few days. It
> > > uses a program called synscan to look for vulnerable wu-ftpd servers
> > > to infect. That jives with Mark Fullmer's observation that an earlier
> > > storm source was an FTP scanner. That other machine is now off the
> > > air, but I'm willing to bet that it was also a RedHat 6.2 or 7.0 box
> > > with a vulnerable wu-ftpd.
> > >
> > > I posted a note to one of the mailing lists that is discussing the
> > > ramen worm, to see if someone who has it in captivity can confirm
> > > that it scans the multicast address space.
> > >
> > > Bill.
> > >
> > > PS - the scanner noted above is now off the air too. . .
> > >
> > >
> >
> >

Now we're getting it from Stanford - AS 32 - this is bad. And it is the RAMEN 
virus - Al said he could
even get

(171.64.48.112, 237.64.120.187), RP 171.64.0.24, MBGP/AS 32, 00:04:32/00:01:27
(171.64.48.112, 237.64.120.188), RP 171.64.0.24, MBGP/AS 32, 00:04:36/00:01:23
(171.64.48.112, 237.64.120.189), RP 171.64.0.24, MBGP/AS 32, 00:04:36/00:01:23
(171.64.48.112, 237.64.120.190), RP 171.64.0.24, MBGP/AS 32, 00:04:32/00:01:27
(171.64.48.112, 237.64.120.191), RP 171.64.0.24, MBGP/AS 32, 00:04:36/00:01:23
(171.64.48.112, 237.64.120.192), RP 171.64.0.24, MBGP/AS 32, 00:07:03/00:00:48
(171.64.48.112, 237.64.120.197), RP 171.64.0.24, MBGP/AS 32, 00:07:05/00:00:47
(171.64.48.112, 237.64.120.198), RP 171.64.0.24, MBGP/AS 32, 00:07:04/00:00:48
(171.64.48.112, 237.64.120.199), RP 171.64.0.24, MBGP/AS 32, 00:07:04/00:00:48
(171.64.48.112, 237.64.120.200), RP 171.64.0.24, MBGP/AS 32, 00:06:47/00:01:00
(171.64.48.112, 237.64.120.201), RP 171.64.0.24, MBGP/AS 32, 00:06:48/00:00:51

go to


--
                                 Regards
                                 Marshall Eubanks


T.M. Eubanks
Multicast Technologies, Inc
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624
Fax     : 703-293-9609
e-mail : 

     


http://www.on-the-i.com http://www.buzzwaves.com