All things related to multicast

[Bill Owens <>]

At 5:25 -0500 1/18/01, Marshall Eubanks wrote:
> Dear Michael;
>
>    Apparently a lot, at least for some routers -
> we had 15,000 (S,G) at one time from Stanford, all within 2 or 3
> minutes. How
> long does it take one of these worms to scan through the entire
> multicast /4 ?
> Someone could look in the logs for the Stanford and UMass DR and see how
> they faired.

The worm won't scan the entire space in order, only a random portion 
of it. From the INCIDENTS mailing list:

At 20:54 -0500 1/17/01, Daniel Martin wrote:
> slim bones 
> <>
>  writes:
>
> >  Ramen uses a binary called randb to generate class B nets to scan.  I
> >  just made it generate 1000 of these, they appear to be reasonably
> >  scattered... however the first byte of the IP address was never less
> >  than 13 nor greater than 242.  Between those, addresses are fairly
> >  evenly dispersed considering the small sample size.  Of 1000 addresses
> >  about 60 were in the range you identify.  From what I've seen the
> >  worm would not discriminate against multicast addresses.
>
> For what it's worth, a disassembly of randb shows that the algorithm
> used to choose network addresses is equivalent to:
> (int)((rand()*230)/(MAXINT+1)) + 13
> for the first byte and
> (int)((rand()*254)/(MAXINT+1)) + 1
> for the second.
>
> In other words, just what you said; uniformly distributed in the first
> byte from 13 to 242 and uniform in the second byte from 1 to 255.

I gather that if the worm were allowed to run free it would continue 
to scan forever, so it would eventually cover most of the multicast 
space.

Bill.