wg-multicast - Re: [isp-webhosting] Re: root server attack
Subject: All things related to multicast
List archive
- From: Prashant Rajvaidya <>
- To: Marshall Eubanks <>
- Cc: , , ,
- Subject: Re: [isp-webhosting] Re: root server attack
- Date: Mon, 27 Jan 2003 04:16:47 -0800 (Pacific Standard Time)
FYI, I have put some interesting Charts, Statistics and a Topology-Map at
the following location:
http://www.nmsl.cs.ucsb.edu/mantra/ries/sapphire/
I hope that this page can provide some more insight.
--prashant
On Sat, 25 Jan 2003, Marshall Eubanks wrote:
> Note : I do not see any indication of RAMEN worm type MSDP havoc - but
> I have received confirmation about the targeting of Multicast group
> addresses.
>
> However, one thing I do note is that the number of NLANR beacons we can
> see has gone
> down by about 1/2. Since the beacons still seem to be there, this may
> indicate that people are shutting down MSDP or
> that there are other problems.
> i
> Marshall
>
> On Saturday, January 25, 2003, at 11:04 AM, Marshall Eubanks wrote:
>
> > Some of you may have heard about the 1434 worm :
> >
> > This is a very bad attack going on today since about midnight EST last
> > night.
> >
> > The message below indicates that the worm may be sending UDP Multicast.
> > If so, this may cause real
> > problems with MSDP, along the lines of the Ramen worm.
> > I haven't seen anything yet, but MSDP peers should probably watch out.
> >
> > It is a worm that will
> > - attack MS SQL through port 1434 UDP
> > - generate amazing amounts of traffic outbound
> > - systematically try and find and infect other SQL machines
> >
> > If you are running MS SQL it is listening to port 1434, so you may have
> > a problem.
> >
> > Technical details
> > http://www.nextgenss.com/advisories/mssql-udp.txt
> >
> > Marshall
> >
> > Begin forwarded message:
> >
> >> From: "Jamie - i-Dot"
> >> <>
> >> Date: Sat Jan 25, 2003 03:57:43 AM US/Eastern
> >> To:
> >>
> >> Subject: [isp-webhosting] Re: root server attack
> >> Reply-To:
> >>
> >>
> >> Noticing the same here,
> >>
> >> Some customers seem to be infected / sending out UDP packets to
> >> multicast addresses,
> >>
> >> Tracked it down to SQL server agent on a few boxes...
> >>
> >> Strangely enough, LINX doesn't seem to be showing any excess traffic at
> >> all.
> >>
> >> -----Original Message-----
> >> From: Metanet Help Desk
> >> [mailto:]
> >> Sent: 25 January 2003 07:55
> >> To:
> >>
> >>
> >> We are seeing the signs of a wide-scale attack against root servers on
> >> the internet. This is directed at the internet in general and the
> >> affects are being felt wide-spread. Every other provider we have been
> >> in contact with is aware of this. You may experience intermittent
> >> connectivity issues while these are happening and the connectivity
> >> issues may occur more frequently if these attacks are not stopped
> >> quickly.
> >>
> >>
> >> ----- Original Message -----
> >> From: "Gary Carr"
> >> <>
> >> To:
> >> <>
> >> Sent: Saturday, January 25, 2003 2:08 AM
> >> Subject: [isp-webhosting] Re: Win FTP Servers
> >>
> >>
> >> Anyone have a clue what the major attack going on this am is? All of
> >> our
> >> upstreams over having network-wide problems.
> >>
> >>
> >>
> >> Gary
> >>
> >>
> >>
> >>> At 1/22/2003, you wrote:
> >>>> I'm investigating for an Windows-based FTP server. Security and
> >>>> ease-of-use are my basic concerns. I don't care much about bells and
> >> whistles.
> >>>>
> >>>> Any suggestions?
> >>>
> >>> http://www.wftpd.com/
> >>>
> >>> WFTPD is very easy to setup and maintain. I've been very happy with
> >>> it. And it's cheap.
> >>>
> >>> --Dave
> >>>
> >>>
> >>> __________ The ISP-WEBHOSTING Discussion List __________
> >>> To Join:
> >>> mailto:
> >>> To Remove:
> >>> mailto:
> >>> Archives: http://isp-lists.isp-planet.com/isp-webhosting/archives/
> >>>
> >>
> >>
> >>
> >> __________ The ISP-WEBHOSTING Discussion List __________
> >> To Join:
> >> mailto:
> >> To Remove:
> >> mailto:
> >> Archives: http://isp-lists.isp-planet.com/isp-webhosting/archives/
> >>
> >>
> >>
> >> __________ The ISP-WEBHOSTING Discussion List __________
> >> To Join:
> >> mailto:
> >> To Remove:
> >> mailto:
> >> Archives: http://isp-lists.isp-planet.com/isp-webhosting/archives/
> >>
> >>
> >>
> >>
> >> __________ The ISP-WEBHOSTING Discussion List __________
> >> To Join:
> >> mailto:
> >> To Remove:
> >> mailto:
> >> Archives: http://isp-lists.isp-planet.com/isp-webhosting/archives/
> >>
> > Regards
> > Marshall Eubanks
> >
>
>
> T.M. Eubanks
> Multicast Technologies, Inc.
> 10301 Democracy Lane, Suite 410
> Fairfax, Virginia 22030
> Phone : 703-293-9624 Fax : 703-293-9609
> e-mail :
>
> http://www.multicasttech.com
>
> Test your network for multicast :
> http://www.multicasttech.com/mt/
> Status of Multicast on the Web :
> http://www.multicasttech.com/status/index.html
>
>
- Fwd: [isp-webhosting] Re: root server attack, Marshall Eubanks, 01/25/2003
- Re: [isp-webhosting] Re: root server attack, Marshall Eubanks, 01/25/2003
- Re: [isp-webhosting] Re: root server attack, Prashant Rajvaidya, 01/27/2003
- Re: [isp-webhosting] Re: root server attack, Marshall Eubanks, 01/27/2003
- Re: [isp-webhosting] Re: root server attack, Prashant Rajvaidya, 01/27/2003
- Re: [isp-webhosting] Re: root server attack, Marshall Eubanks, 01/25/2003
Archive powered by MHonArc 2.6.16.