All things related to multicast

["Pedro M. Ruiz" <>]

Hello all,

I'm sorry very much for the MSDP storm from 157.88.142.2.
This host belongs to the University of Valladolid, which is under the 
RedIRIS AS.

I've rate-limited MSDP SAs in our peering with TEN-155 according to 
Hank's recommendations.

Now we're using:

rate-limit input access-group 180 8000 4470 4470 conform-action transmit 
exceed-action drop   
...
EB-Madrid00#sh access-lists 180
Extended IP access list 180
    permit tcp any any eq 639 (26138 matches)
    permit udp any any eq 639 (1527 matches)
    deny ip any any (95813443 matches)  

Are there better values than this 8Kb rate limits?

I've also filtered TCP packets addressed to IP multicast groups at 
the access router.

Finally, I've checked that the host 157.88.142.2 is a Linux 
RedHat 7.0 that has been compromised with a modified version of 
RAMEN. 

I've contacted my coleagues in the IRIS-CERT. They're now further 
investigating this mutation and contacting the administrators of this host.

Best Regards,

 ______________          __          _______________________________
                        /_/
 Pedro M. Ruiz   __            __    

 RedIRIS/CSIC   /_/  RedIRIS  /_/    Tel:   + 34 915855150
 Serrano,142           __            Fax:   + 34 915855146
 E-28006  Madrid      /_/           
 SPAIN                               Network Engeneer
 ____________ Spanish Academic & Research Network ___________________