All things related to multicast

[Amel Caldwell <>]

I have been doing this with ACLs at our borders for a year or so already, this
does not prevent the MSDP SA explosion though.

I think to do this effectively, you would need to do it at the edge via
multicast boundaries and probably through SA filtering as well.  In addition
to filtering TCP to 224/4 is it reasonable to filter privileged port ( < 1024)
traffic to 224/4?  Do multicast boundaries and SA filters have this
capability?

Amel

On Mon, 3 May 2004, Charles R. Anderson wrote:

>Folks, please filter TCP packets destined to 224/4.  TCP can't do
>multicast, and that should help reduce the MSDP load caused by Sasser.
>
>Thanks.
>
>On Mon, May 03, 2004 at 12:48:28PM -0700, Amel Caldwell wrote:
>> Actually, I have been looking at the very same thing here at the 
>> University of
>> Washington.  I picked out six local addresses that were responsible for 
>> 800+
>> SA entries and they all appeared to be infected with SASSER.
>>
>> Amel
>>
>> On Mon, 3 May 2004, Bill Owens wrote:
>>
>> >A pointer on another list got me looking at my MSDP SA cache, with the
>> >suggestion that the sasser worm might be scanning multicast space. I'm not
>> >sure that's the case, since it doesn't look the same as back when ramen 
>> >was
>> >hitting us, but there's definitely something going on. My SA cache is
>> >currently at 33k and rising.
>> >
>> >Bill.
>> >
>> >
>>
>
>