All things related to multicast

[Leonard Giuliano <>]

Here's some of the currently offending hosts.  All of the following are
trying to source > 1000 SAs.  At Paix, there is a 1K per-source limit.
Notice 164.58.207.101 trying to source 9.6 MILLION SAs!!

lenny@paix>
 show msdp source | except "\ 0"
Source address   /Len   Type             Maximum  Threshold   Exceeded
128.95.53.58     /32    Dynamic             1000        900     210253
129.170.217.2    /32    Dynamic             1000        900      36902
129.242.224.172  /32    Dynamic             1000        900      30439
131.252.205.91   /32    Dynamic             1000        900         47
131.252.241.207  /32    Dynamic             1000        900        230
131.252.244.249  /32    Dynamic             1000        900       2078
132.236.68.162   /32    Dynamic             1000        900     702862
132.236.113.38   /32    Dynamic             1000        900       1278
164.58.174.205   /32    Dynamic             1000        900     694339
164.58.175.18    /32    Dynamic             1000        900     497916
164.58.175.109   /32    Dynamic             1000        900     237265
164.58.207.101   /32    Dynamic             1000        900    9602816
212.61.69.89     /32    Dynamic             1000        900      27851

-Lenny

On Mon, 10 May 2004, Michael Hare wrote:

-) Marshall-
-)
-) AS 59 turned back up MSDP peering with AS 2381 ~ 12:10 CST.  We are
-) systematically blackholing infected hosts as we find them.
-)
-) Is this causing problems for people (ie do we need to shut back down?)
-)
-) What prefix are checking for Wisconsin connectivity?  I just checked the
-) Atlanta Abilene M5 for 128.104/16 and it's in the table.
-)
-) -Michael
-)
-) ============================W=========
-) Michael Hare
-) UW-Madison/WiscNet Network Engineering
-) Desk: (608) 262-5236
-) 24 Hr Noc: (608) 263-4188
-)
-) -----Original Message-----
-) From: 

-) 
[mailto:]
 On Behalf Of Marshall Eubanks
-) Sent: Monday, May 10, 2004 1:40 PM
-) To: 

-) Subject: Sasser worm redux ?
-)
-) MSDP SA's are spiking again, and Wisconsin seems to have dropped off of
-) the MBGP Internet.
-)
-) Here is a little info
-)
-) Marshall
-)
-)  Date of MBGP Dump  Mon May 10 12:13:01 EDT 2004
-)
-)  There were 11865 SA-Cache Entries
-)  There were   674 Duplicate S,G Entries
-)  There were  8669 SA-Cache Groups
-)  There were  2529 SA-Cache Sources
-)  There were   299 SA-Cache RPs
-)  There were   167 SA-Cache ASs
-)
-)  The Most Active Group  is   224.2.127.254 with   950 members
-)  The Most Active Source is  128.178.14.235 with  1339 groups
-)  The Most Active RP     is   129.170.9.157 with  2492 entries
-)  The Most Active AS     is           10755 with  2492 entries
-)
-)  There were  8512 Groups with only one Sender
-)
-)  First Octet Histogram
-)
-)  Octet 224 had   1230 entries or  14.19 %
-)  Octet 225 had    523 entries or   6.03 %
-)  Octet 226 had    512 entries or   5.91 %
-)  Octet 227 had    521 entries or   6.01 %
-)  Octet 228 had    506 entries or   5.84 %
-)  Octet 229 had    551 entries or   6.36 %
-)  Octet 230 had    537 entries or   6.19 %
-)  Octet 231 had    530 entries or   6.11 %
-)  Octet 233 had   1105 entries or  12.75 %
-)  Octet 234 had    548 entries or   6.32 %
-)  Octet 235 had    552 entries or   6.37 %
-)  Octet 236 had    517 entries or   5.96 %
-)  Octet 237 had    511 entries or   5.89 %
-)  Octet 238 had    526 entries or   6.07 %
-)
-)  AS  10755 had   2492 entries
-)  AS     26 had   1430 entries
-)  AS    559 had   1363 entries
-)  AS    159 had   1152 entries
-)