Skip to Content.
Sympa Menu

wg-multicast - Re: Multicast group count spike

Subject: All things related to multicast

List archive

Re: Multicast group count spike


Chronological Thread 
  • From: Simon Leinen <>
  • To: "Taylor, Scott J." <>
  • Cc: <>
  • Subject: Re: Multicast group count spike
  • Date: Sun, 15 Feb 2009 08:50:57 +0100

Taylor, Scott J writes:
> We are seeing a noticeable multicast group count increase this morning.
> It looks like the group 224.9.9.9 accounts for most of the increase.

Interesting. I hacked up a small Perl script[1] to walk a router's
MSDP cache and summarize the most prevalent groups. 224.9.9.9 has 524
sources, most of them announced from AS55 (UPenn).

524 224.9.9.9
455 AS55
32 AS20130
23 AS7386
7 AS26934
3 AS34
1 AS12145
1 AS1103
1 AS2833
1 AS683

Cursory manual inspection indicates that many sources are in wireless
and dormitory nets, but then that's probably just where most
innovation is taking place, especially on week-ends.

> Are other people seeing this group and these sources or are you
> dropping these at your edge? From what I found it looks like this
> group is likely something to do with SQUID proxy configuration and
> not legitimate traffic that users on our network would be interested
> in.

Maybe these (few) wireless and dorm nets distribute a multicast-
enabled Squid configuration, and let those multicasts leak out.
Anyone in contact with the UPenn wireless/dorm net folks can check?

If you filter out announcements for groups outside the official ranges
(see Chuck Anderson's pointer to the secure multicast template), you
won't see this. Personally I'm a little reluctant to do that, because
I don't want to stifle accidental discoveries of useful cross-site
multicast applications by curious students/researchers.
--
Simon.
[1]
#!/usr/bin/perl -w
###
### Run over a text file containing "show ip msdp sa-cache" output.
### This will show the top groups according to source count, and break
### down the sources by MSDP origin AS for each group.

use strict;
use warnings;

sub read_msdp_dump ();
sub write_output ();

## Only groups with at least this many sources will be listed.
##
my $source_threshold = 100;

## Only ASes originating at least this many sources will be listed for
## each group listed.
##
my $as_threshold = 2;

my %source_count = ();
my %sources = ();

read_msdp_dump;
write_output;

sub read_msdp_dump () {
while (<>) {
next if /^\d+ matches for /;
if (/\(([0-9.]{7,15}), ([0-9.]{7,15})\), RP ([0-9.]{7,15}), MBGP\/AS
(\d+), (.*), Peer ([0-9.]{7,15})/) {
my ($s, $g, $rp, $as, $uptime, $peer) = ($1, $2, $3, $4, $5, $6,
$7);
++$source_count{$g};
push @{$sources{$g}}, [$s, $as];
}
}
1;
}

sub write_output () {
foreach my $g (sort { $source_count{$b} <=> $source_count{$a} } keys
%source_count) {
last if $source_count{$g} < $source_threshold;
printf "%6d %15s\n", $source_count{$g}, $g;
my %by_as = ();
foreach my $source (@{$sources{$g}}) {
++$by_as{$source->[1]};
}
foreach my $as (sort { $by_as{$b} <=> $by_as{$a} } keys %by_as) {
last unless $by_as{$as} >= $as_threshold;
printf " %6d AS%d\n", $by_as{$as}, $as;
}
}
}



Archive powered by MHonArc 2.6.16.

Top of Page