All things related to multicast

["Marshall Eubanks" <>]

Anyone else seeing msdp storms ? I am seeing something, but it's not entirely 
typical of a worm (it's dominated by 224 traffic).

Marshall

 Date of MBGP Dump  Wed Sep 15 17:35:14 EDT 2004
 
 There were 16499 SA-Cache Entries      
 There were  1379 Duplicate S,G Entries 
 There were  8910 SA-Cache Groups       
 There were  3044 SA-Cache Sources      
 There were   321 SA-Cache RPs          
 There were   183 SA-Cache ASs          
 
 The Most Active Group  is   224.2.127.254 with  1398 members 
 The Most Active Source is    198.58.5.249 with  3504 groups 
 The Most Active RP     is  145.145.255.10 with  3825 entries 
 The Most Active AS     is            1103 with  3837 entries 
 
 There were  5612 Groups with only one Sender      
 
 First Octet Histogram
 
 Octet 224 had   1001 entries or  11.23 % 
 Octet 225 had    602 entries or   6.76 % 
 Octet 226 had    569 entries or   6.39 % 
 Octet 227 had    602 entries or   6.76 % 
 Octet 228 had    562 entries or   6.31 % 
 Octet 229 had    594 entries or   6.67 % 
 Octet 230 had    596 entries or   6.69 % 
 Octet 231 had    570 entries or   6.40 % 
 Octet 233 had    873 entries or   9.80 % 
 Octet 234 had    559 entries or   6.27 % 
 Octet 235 had    661 entries or   7.42 % 
 Octet 236 had    575 entries or   6.45 % 
 Octet 237 had    587 entries or   6.59 % 
 Octet 238 had    558 entries or   6.26 % 
 Octet 239 had      1 entries or   0.01 % 


--- the forwarded message follows ---

--- Begin Message ---

• From: "Robert Scott" <>
• To: <>
• Subject: Excessive Internet Traffic
• Date: Wed, 15 Sep 2004 11:58:12 -0400

The University of Central Florida has seen a sudden jump in tcp 445
denies. It began a little after 9:00 AM EDST. New Worm?

I am denying about 32 thousand packets per second. IP Cache flow show
them well spread over a wide range of addresses, targeted at what
apeears to be a random sample of my class B. The ACL on our border
router is taking 21 million denies every 10 minutes.

60 deny tcp any any eq 445 (346740094 matches)

The packets are small, since I am seeing a large nuber of packets, but
the bit count is low.
30 second input rate 72679000 bits/sec, 41033 packets/sec
30 second output rate 29208000 bits/sec, 7687 packets/sec
Input bits per second are a little above normal, but the packet count
would normally be under 10000 not 41000.

Ideas?

TIA

AppleBees says "No Anheuser"
Robert Scott says "NO APPLEBEES!"
Join The Boycott!

Robert D. Scott
Associate Director
Computer Services and Telecommunications
Network Operations
University of Central Florida

CSB-310
407-823-0662 Voice
407-823-5476 FAX
345-0662 Sun-Com
877-549-5390 Pager


--- End Message ---