Skip to Content.
Sympa Menu

wg-multicast - Re: [isp-webhosting] Re: root server attack

Subject: All things related to multicast

List archive

Re: [isp-webhosting] Re: root server attack


Chronological Thread 
  • From: Marshall Eubanks <>
  • To: Marshall Eubanks <>
  • Cc: , , (IP Multicast) <>,
  • Subject: Re: [isp-webhosting] Re: root server attack
  • Date: Sat, 25 Jan 2003 11:29:56 -0500
Note : I do not see any indication of RAMEN worm type MSDP havoc - but
I have received confirmation about the targeting of Multicast group addresses.

However, one thing I do note is that the number of NLANR beacons we can see has gone
down by about 1/2. Since the beacons still seem to be there, this may indicate that people are shutting down MSDP or
that there are other problems.

Marshall

On Saturday, January 25, 2003, at 11:04 AM, Marshall Eubanks wrote:

Some of you may have heard about the 1434 worm :

This is a very bad attack going on today since about midnight EST last night.

The message below indicates that the worm may be sending UDP Multicast. If so, this may cause real
problems with MSDP, along the lines of the Ramen worm.
I haven't seen anything yet, but MSDP peers should probably watch out.

It is a worm that will
- attack MS SQL through port 1434 UDP
- generate amazing amounts of traffic outbound
- systematically try and find and infect other SQL machines

If you are running MS SQL it is listening to port 1434, so you may have a problem.

Technical details
http://www.nextgenss.com/advisories/mssql-udp.txt

Marshall

Begin forwarded message:

From: "Jamie - i-Dot"
<>
Date: Sat Jan 25, 2003 03:57:43 AM US/Eastern
To:

Subject: [isp-webhosting] Re: root server attack
Reply-To:


Noticing the same here,

Some customers seem to be infected / sending out UDP packets to
multicast addresses,

Tracked it down to SQL server agent on a few boxes...

Strangely enough, LINX doesn't seem to be showing any excess traffic at
all.

-----Original Message-----
From: Metanet Help Desk
[mailto:]
Sent: 25 January 2003 07:55
To:


We are seeing the signs of a wide-scale attack against root servers on
the internet. This is directed at the internet in general and the
affects are being felt wide-spread. Every other provider we have been
in contact with is aware of this. You may experience intermittent
connectivity issues while these are happening and the connectivity
issues may occur more frequently if these attacks are not stopped
quickly.


----- Original Message -----
From: "Gary Carr"
<>
To:
<>
Sent: Saturday, January 25, 2003 2:08 AM
Subject: [isp-webhosting] Re: Win FTP Servers


Anyone have a clue what the major attack going on this am is? All of our
upstreams over having network-wide problems.



Gary



At 1/22/2003, you wrote:
I'm investigating for an Windows-based FTP server. Security and
ease-of-use are my basic concerns. I don't care much about bells and
whistles.

Any suggestions?

http://www.wftpd.com/

WFTPD is very easy to setup and maintain. I've been very happy with
it. And it's cheap.

--Dave


__________ The ISP-WEBHOSTING Discussion List __________
To Join:
mailto:
To Remove:
mailto:
Archives: http://isp-lists.isp-planet.com/isp-webhosting/archives/




__________ The ISP-WEBHOSTING Discussion List __________
To Join:
mailto:
To Remove:
mailto:
Archives: http://isp-lists.isp-planet.com/isp-webhosting/archives/



__________ The ISP-WEBHOSTING Discussion List __________
To Join:
mailto:
To Remove:
mailto:
Archives: http://isp-lists.isp-planet.com/isp-webhosting/archives/




__________  The ISP-WEBHOSTING Discussion List  __________
To Join:
mailto:
To Remove:
mailto:
Archives: http://isp-lists.isp-planet.com/isp-webhosting/archives/

Regards
Marshall Eubanks



T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624 Fax : 703-293-9609
e-mail :

http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
Status of Multicast on the Web :
http://www.multicasttech.com/status/index.html


Archive powered by MHonArc 2.6.16.

Top of Page