wg-multicast - Re: [isp-webhosting] Re: root server attack
Subject: All things related to multicast
List archive
- From: Marshall Eubanks <>
- To: Prashant Rajvaidya <>
- Cc: , , ,
- Subject: Re: [isp-webhosting] Re: root server attack
- Date: Mon, 27 Jan 2003 08:13:15 -0500
Interesting. Assuming that these are for Friday night / Saturday morning, you show 10K + groups
(and thus 10K + SA"s) on Saturday at midnight EST. I did not see this.
Sat Midnight EST - 2709 SA messages from 1412 groups - pretty normal
Sat 6:00 AM EST - 3989 SA Messages from 3241 groups - not normal
So, you see 10K, I see 2K. Someone was doing something.
Saturday _after_ Midnight EST I lost MBGP to the following ASN -
AS 160 U-CHICAGO-AS : 1 prefixes : 1 prefixes & 1 ASN supported : 4 hops : as path 145 11537 22335 160
AS 1657 LOUISVILLE : 1 prefixes : 1 prefixes & 1 ASN supported : 4 hops : as path 145 11537 3714 1657
AS 1715 unknown : 4 prefixes : 4 prefixes & 1 ASN supported : 5 hops : as path 145 11537 20965 2200 1715
AS 3714 KEC-NET : 1 prefixes : 2 prefixes & 2 ASN supported : 3 hops : as path 145 11537 3714
AS 6356 NERDCNET : 4 prefixes : 4 prefixes & 1 ASN supported : 4 hops : as path 145 11537 11095 6356
AS 6867 RIPE-ASNBLOCK6 : 2 prefixes : 2 prefixes & 1 ASN supported : 5 hops : as path 145 11537 20965 5408 6867
AS 8071 MICROSOFT-AS-BLOCK : 1 prefixes : 1 prefixes & 1 ASN supported : 4 hops : as path 145 11537 101 8071
AS 8158 LUCENT-WHATS : 1 prefixes : 1 prefixes & 1 ASN supported : 4 hops : as path 1239 10888 704 8158
AS 8865 RIPE-ASNBLOCK7 : 2 prefixes : 2 prefixes & 1 ASN supported : 5 hops : as path 145 11537 20965 8501 8865
AS 17055 UTAH : 6 prefixes : 6 prefixes & 1 ASN supported : 4 hops : as path 145 11537 210 17055
AS 19149 MOTLABS : 1 prefixes : 1 prefixes & 1 ASN supported : 4 hops : as path 145 11537 22335 19149
AS 20130 DEPAUL : 2 prefixes : 2 prefixes & 1 ASN supported : 4 hops : as path 145 11537 22335 20130
So, I conclude that some people out there did something to mitigate the damage coming to us, but not to you.
I would be curious to learn what was done and where.
Marshall
On Monday, January 27, 2003, at 07:16 AM, Prashant Rajvaidya wrote:
FYI, I have put some interesting Charts, Statistics and a Topology-Map at
the following location:
http://www.nmsl.cs.ucsb.edu/mantra/ries/sapphire/
I hope that this page can provide some more insight.
--prashant
On Sat, 25 Jan 2003, Marshall Eubanks wrote:
Note : I do not see any indication of RAMEN worm type MSDP havoc - but
I have received confirmation about the targeting of Multicast group
addresses.
However, one thing I do note is that the number of NLANR beacons we can
see has gone
down by about 1/2. Since the beacons still seem to be there, this may
indicate that people are shutting down MSDP or
that there are other problems.
i
Marshall
On Saturday, January 25, 2003, at 11:04 AM, Marshall Eubanks wrote:
Some of you may have heard about the 1434 worm :
This is a very bad attack going on today since about midnight EST last
night.
The message below indicates that the worm may be sending UDP Multicast.
If so, this may cause real
problems with MSDP, along the lines of the Ramen worm.
I haven't seen anything yet, but MSDP peers should probably watch out.
It is a worm that will
- attack MS SQL through port 1434 UDP
- generate amazing amounts of traffic outbound
- systematically try and find and infect other SQL machines
If you are running MS SQL it is listening to port 1434, so you may have
a problem.
Technical details
http://www.nextgenss.com/advisories/mssql-udp.txt
Marshall
Begin forwarded message:
From: "Jamie - i-Dot"
<>
Date: Sat Jan 25, 2003 03:57:43 AM US/Eastern
To:
Subject: [isp-webhosting] Re: root server attack
Reply-To:
Noticing the same here,
Some customers seem to be infected / sending out UDP packets to
multicast addresses,
Tracked it down to SQL server agent on a few boxes...
Strangely enough, LINX doesn't seem to be showing any excess traffic at
all.
-----Original Message-----
T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624 Fax : 703-293-9609
e-mail :
http://www.multicasttech.com
Test your network for multicast :
http://www.multicasttech.com/mt/
Status of Multicast on the Web :
http://www.multicasttech.com/status/index.html
- Fwd: [isp-webhosting] Re: root server attack, Marshall Eubanks, 01/25/2003
- Re: [isp-webhosting] Re: root server attack, Marshall Eubanks, 01/25/2003
- Re: [isp-webhosting] Re: root server attack, Prashant Rajvaidya, 01/27/2003
- Re: [isp-webhosting] Re: root server attack, Marshall Eubanks, 01/27/2003
- Re: [isp-webhosting] Re: root server attack, Prashant Rajvaidya, 01/27/2003
- Re: [isp-webhosting] Re: root server attack, Marshall Eubanks, 01/25/2003
Archive powered by MHonArc 2.6.16.