All things related to multicast

[Bill Owens <>]

At 20:08 +0100 2/1/01, Miguel Angel Sotos - NOC wrote:
> Sorry, it was not the BGP session, it was the MSDP peering.
> We have limited the SA announcements to 24 Kbps (due to RAMEN) and
> now we are receiving a burst of announcements.
> It seems we are victims of a RAMEN attack.
> Here is some example:
>
> EB-Madrid00#sh ip msdp sa-cache | incl 63.250.209.99
> (63.250.209.99, 233.22.147.80), RP 206.190.40.61, MBGP/AS 5779,
> 00:10:30/00:05:40
> (63.250.209.99, 233.22.147.81), RP 206.190.40.61, MBGP/AS 5779,
> 00:10:30/00:05:40
> (63.250.209.99, 233.22.147.121), RP 206.190.40.61, MBGP/AS 5779,
> 00:10:30/00:05:39
> (63.250.209.99, 233.22.147.122), RP 206.190.40.61, MBGP/AS 5779,
> 00:10:30/00:05:39
> . . .
>
> EB-Madrid00#sh ip msdp sa-cache | incl 63.250.209.148
> (63.250.209.148, 233.22.147.82), RP 206.190.40.61, MBGP/AS 5779,
> 00:10:58/00:05:12
> (63.250.209.148, 233.22.147.83), RP 206.190.40.61, MBGP/AS 5779,
> 00:10:58/00:05:12
> (63.250.209.148, 233.22.147.125), RP 206.190.40.61, MBGP/AS 5779,
> 00:10:58/00:05:11
> (63.250.209.148, 233.22.147.126), RP 206.190.40.61, MBGP/AS 5779,
> 00:10:58/00:05:11

Those machines are not ramen infected (a quick check is to telnet to 
port 27374; an infected machine will answer, a clean one will not). 
The're located at broadcast.com, and are sending SAs for 
broadcast.com's GLOP space, corresponding to their ASN 5779. For 
details on GLOP addressing, see RFC2770. For details on why 
broadcast.com uses so many group addresses, you'll have to ask them 
;) I've been fooled by this same set of advertisements myself, while 
looking for ramen-infected machines. . .

Bill.