wg-multicast - RE: Sasser worm redux ?
Subject: All things related to multicast
List archive
- From: Amel Caldwell <>
- To: Leonard Giuliano <>
- Cc: Michael Hare <>, "'Marshall Eubanks'" <>,
- Subject: RE: Sasser worm redux ?
- Date: Mon, 10 May 2004 14:53:05 -0700 (Pacific Standard Time)
I had 128.95.53.58 and two other busy hosts at the UW removed from the
network for cleaning up.
Amel
On Mon, 10 May 2004, Leonard Giuliano wrote:
>
>Here's some of the currently offending hosts. All of the following are
>trying to source > 1000 SAs. At Paix, there is a 1K per-source limit.
>Notice 164.58.207.101 trying to source 9.6 MILLION SAs!!
>
>lenny@paix>
> show msdp source | except "\ 0"
>Source address /Len Type Maximum Threshold Exceeded
>128.95.53.58 /32 Dynamic 1000 900 210253
>129.170.217.2 /32 Dynamic 1000 900 36902
>129.242.224.172 /32 Dynamic 1000 900 30439
>131.252.205.91 /32 Dynamic 1000 900 47
>131.252.241.207 /32 Dynamic 1000 900 230
>131.252.244.249 /32 Dynamic 1000 900 2078
>132.236.68.162 /32 Dynamic 1000 900 702862
>132.236.113.38 /32 Dynamic 1000 900 1278
>164.58.174.205 /32 Dynamic 1000 900 694339
>164.58.175.18 /32 Dynamic 1000 900 497916
>164.58.175.109 /32 Dynamic 1000 900 237265
>164.58.207.101 /32 Dynamic 1000 900 9602816
>212.61.69.89 /32 Dynamic 1000 900 27851
>
>-Lenny
>
>On Mon, 10 May 2004, Michael Hare wrote:
>
>-) Marshall-
>-)
>-) AS 59 turned back up MSDP peering with AS 2381 ~ 12:10 CST. We are
>-) systematically blackholing infected hosts as we find them.
>-)
>-) Is this causing problems for people (ie do we need to shut back down?)
>-)
>-) What prefix are checking for Wisconsin connectivity? I just checked the
>-) Atlanta Abilene M5 for 128.104/16 and it's in the table.
>-)
>-) -Michael
>-)
>-) ============================W=========
>-) Michael Hare
>-) UW-Madison/WiscNet Network Engineering
>-) Desk: (608) 262-5236
>-) 24 Hr Noc: (608) 263-4188
>-)
>-) -----Original Message-----
>-) From:
>
>-)
>[mailto:]
> On Behalf Of Marshall Eubanks
>-) Sent: Monday, May 10, 2004 1:40 PM
>-) To:
>
>-) Subject: Sasser worm redux ?
>-)
>-) MSDP SA's are spiking again, and Wisconsin seems to have dropped off of
>-) the MBGP Internet.
>-)
>-) Here is a little info
>-)
>-) Marshall
>-)
>-) Date of MBGP Dump Mon May 10 12:13:01 EDT 2004
>-)
>-) There were 11865 SA-Cache Entries
>-) There were 674 Duplicate S,G Entries
>-) There were 8669 SA-Cache Groups
>-) There were 2529 SA-Cache Sources
>-) There were 299 SA-Cache RPs
>-) There were 167 SA-Cache ASs
>-)
>-) The Most Active Group is 224.2.127.254 with 950 members
>-) The Most Active Source is 128.178.14.235 with 1339 groups
>-) The Most Active RP is 129.170.9.157 with 2492 entries
>-) The Most Active AS is 10755 with 2492 entries
>-)
>-) There were 8512 Groups with only one Sender
>-)
>-) First Octet Histogram
>-)
>-) Octet 224 had 1230 entries or 14.19 %
>-) Octet 225 had 523 entries or 6.03 %
>-) Octet 226 had 512 entries or 5.91 %
>-) Octet 227 had 521 entries or 6.01 %
>-) Octet 228 had 506 entries or 5.84 %
>-) Octet 229 had 551 entries or 6.36 %
>-) Octet 230 had 537 entries or 6.19 %
>-) Octet 231 had 530 entries or 6.11 %
>-) Octet 233 had 1105 entries or 12.75 %
>-) Octet 234 had 548 entries or 6.32 %
>-) Octet 235 had 552 entries or 6.37 %
>-) Octet 236 had 517 entries or 5.96 %
>-) Octet 237 had 511 entries or 5.89 %
>-) Octet 238 had 526 entries or 6.07 %
>-)
>-) AS 10755 had 2492 entries
>-) AS 26 had 1430 entries
>-) AS 559 had 1363 entries
>-) AS 159 had 1152 entries
>-)
>
>
- Sasser worm redux ?, Marshall Eubanks, 05/10/2004
- RE: Sasser worm redux ?, Michael Hare, 05/10/2004
- RE: Sasser worm redux ?, Leonard Giuliano, 05/10/2004
- RE: Sasser worm redux ?, shep, 05/10/2004
- RE: Sasser worm redux ?, Amel Caldwell, 05/10/2004
- RE: Sasser worm redux ?, Leonard Giuliano, 05/10/2004
- RE: Sasser worm redux ?, Michael Hare, 05/10/2004
Archive powered by MHonArc 2.6.16.