All things related to multicast

["Marshall Eubanks" <>]

This is the biggest worm attack on MSDP I have yet seen - here is some 
information - note the
27331 Groups with only one Sender - a classic worm indicator.

Marshall
 

 Date of MBGP Dump  Tue May  4 06:13:00 EDT 2004
 
 There were 30502 SA-Cache Entries      
 There were  1005 Duplicate S,G Entries 
 There were 27453 SA-Cache Groups       
 There were  2125 SA-Cache Sources      
 There were   277 SA-Cache RPs          
 There were   153 SA-Cache ASs          
 
 The Most Active Group  is   224.2.127.254 with   976 members 
 The Most Active Source is   130.239.19.66 with  1842 groups 
 The Most Active RP     is   130.239.0.101 with  7505 entries 
 The Most Active AS     is            2833 with  7505 entries 

This AS is
  2833          SUNET-UMU                       [BE10]               {S-100 
44  STOCKHOLM, Sweden} 

 
 There were 27331 Groups with only one Sender      
 
 First Octet Histogram
 
 Octet 224 had   2242 entries or   8.17 % 
 Octet 225 had   1926 entries or   7.02 % 
 Octet 226 had   1955 entries or   7.12 % 
 Octet 227 had   1895 entries or   6.90 % 
 Octet 228 had   1899 entries or   6.92 % 
 Octet 229 had   2012 entries or   7.33 % 
 Octet 230 had   1881 entries or   6.85 % 
 Octet 231 had   1948 entries or   7.10 % 
 Octet 233 had   2243 entries or   8.17 % 
 Octet 234 had   1851 entries or   6.74 % 
 Octet 235 had   1898 entries or   6.91 % 
 Octet 236 had   1908 entries or   6.95 % 
 Octet 237 had   1861 entries or   6.78 % 
 Octet 238 had   1934 entries or   7.04 % 
 
 AS   2833 had   7505 entries 
 AS    137 had   7473 entries 
 AS    680 had   6220 entries 
 AS   2200 had   2763 entries 
 AS   2607 had   1570 entries 
 AS   1955 had   1292 entries 
<snip>

On Tue, 4 May 2004 07:12:37 -0400 (EDT)
 "William F. Maton" 
<>
 wrote:
> On Tue, 4 May 2004, Bill Owens wrote:
> 
> > FYI, our two Abilene MSDP peers had pushed up to over 45k SAs, so I've
> >now shut them down. It was causing problems for CANARIE, and although our
> >backbone Junipers haven't been affected yet, I'm not willing to take the
> >chance.
> >
> > If things aren't better by the morning I'm going to be working on a
> >filter to see whether I can let at least some of the legitimate sources
> >through, though I'm not exactly sure how to specify that. . .
> 
> FWIW, we're seeing 20K+ MSDP entries coming from CANARIE towards us at AS
> 2884.  I've had to shutdown MSDP peering and it seems there are deeper
> problems within CANARIE's network that are affecting AS2884's downstreams.
> 
> 
> wfms
>