All things related to multicast

[Marshall Eubanks <>]

Interesting. Assuming that these are for Friday night / Saturday 
morning, you show 10K + groups
(and thus 10K + SA"s) on Saturday at midnight EST. I did not see this.

Sat Midnight EST -  2709 SA messages from 1412 groups - pretty normal
Sat 6:00 AM EST  - 3989 SA Messages from  3241 groups - not normal

So, you see 10K, I see 2K. Someone was doing something.

Saturday _after_  Midnight EST I lost MBGP to the following ASN -

 AS    160  U-CHICAGO-AS                    :    1 prefixes :    1 
prefixes &    1 ASN supported :   4 hops : as path   145 11537 22335   
160
 AS   1657  LOUISVILLE                      :    1 prefixes :    1 
prefixes &    1 ASN supported :   4 hops : as path   145 11537  3714  
1657
 AS   1715  unknown                         :    4 prefixes :    4 
prefixes &    1 ASN supported :   5 hops : as path   145 11537 20965  
2200  1715
 AS   3714  KEC-NET                         :    1 prefixes :    2 
prefixes &    2 ASN supported :   3 hops : as path   145 11537  3714
 AS   6356  NERDCNET                        :    4 prefixes :    4 
prefixes &    1 ASN supported :   4 hops : as path   145 11537 11095  
6356
 AS   6867  RIPE-ASNBLOCK6                  :    2 prefixes :    2 
prefixes &    1 ASN supported :   5 hops : as path   145 11537 20965  
5408  6867
 AS   8071  MICROSOFT-AS-BLOCK              :    1 prefixes :    1 
prefixes &    1 ASN supported :   4 hops : as path   145 11537   101  
8071
 AS   8158  LUCENT-WHATS                    :    1 prefixes :    1 
prefixes &    1 ASN supported :   4 hops : as path  1239 10888   704  
8158
 AS   8865  RIPE-ASNBLOCK7                  :    2 prefixes :    2 
prefixes &    1 ASN supported :   5 hops : as path   145 11537 20965  
8501  8865
 AS  17055  UTAH                            :    6 prefixes :    6 
prefixes &    1 ASN supported :   4 hops : as path   145 11537   210 
17055
 AS  19149  MOTLABS                         :    1 prefixes :    1 
prefixes &    1 ASN supported :   4 hops : as path   145 11537 22335 
19149
 AS  20130  DEPAUL                          :    2 prefixes :    2 
prefixes &    1 ASN supported :   4 hops : as path   145 11537 22335 
20130


So, I conclude that some people out there did something to mitigate the 
damage coming to us, but not to you.
I would be curious to learn  what was done and where.

Marshall

On Monday, January 27, 2003, at 07:16  AM, Prashant Rajvaidya wrote:

> FYI, I have put some interesting Charts, Statistics and a Topology-Map 
> at
> the following location:
>         http://www.nmsl.cs.ucsb.edu/mantra/ries/sapphire/
>
> I hope that this page can provide some more insight.
>
> --prashant
>
> On Sat, 25 Jan 2003, Marshall Eubanks wrote:
>
> > Note : I do not see any indication  of RAMEN worm type MSDP havoc - but
> > I have received confirmation about the targeting of Multicast group
> > addresses.
> >
> > However, one thing I do note is that the number of NLANR beacons we can
> > see has gone
> > down by about 1/2. Since the beacons still seem to be there, this may
> > indicate that people are shutting down MSDP or
> > that there are other problems.
> > i
> > Marshall
> >
> > On Saturday, January 25, 2003, at 11:04  AM, Marshall Eubanks wrote:
> >
> > > Some of you may have heard about the 1434 worm :
> > >
> > > This is a very bad attack going on today since about midnight EST last
> > > night.
> > >
> > > The message below indicates that the worm may be sending UDP 
> > > Multicast.
> > > If so, this may cause real
> > > problems with MSDP, along the lines of the Ramen worm.
> > > I haven't seen anything yet, but MSDP peers should probably watch out.
> > >
> > > It is a worm that will
> > > - attack MS SQL through port 1434 UDP
> > > - generate amazing amounts of traffic outbound
> > > - systematically try and find and infect other SQL machines
> > >
> > > If you are running MS SQL it is listening to port 1434, so you may 
> > > have
> > > a problem.
> > >
> > > Technical details
> > > http://www.nextgenss.com/advisories/mssql-udp.txt
> > >
> > > Marshall
> > >
> > > Begin forwarded message:
> > >
> > > > From: "Jamie - i-Dot" 
> > > > <>
> > > > Date: Sat Jan 25, 2003  03:57:43  AM US/Eastern
> > > > To: 
> > > >
> > > > Subject: [isp-webhosting] Re: root server attack
> > > > Reply-To: 
> > > >
> > > >
> > > > Noticing the same here,
> > > >
> > > > Some customers seem to be infected / sending out UDP packets to
> > > > multicast addresses,
> > > >
> > > > Tracked it down to SQL server agent on a few boxes...
> > > >
> > > > Strangely enough, LINX doesn't seem to be showing any excess traffic 
> > > > at
> > > > all.
> > > >
> > > > -----Original Message-----

T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624       Fax     : 703-293-9609
e-mail : 

http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
 Status of Multicast on the Web  :
 http://www.multicasttech.com/status/index.html