On Sat, 25 Jan 2003, Marshall Eubanks wrote:
Can you give me any information about which multicast group addresses were being attacked ?
I didn't have any logging turned on at the time so I don't have the addresses laying around. I just remember I had a storm of traffic trying to go to addresses between 224.x.x.x and 247.x.x.x - the addresses looked fairly random though. It may have been just a result of whatever random address algorithm was being used. Since I don't route multicast, it stayed local to the network segment but every host on the segment saw the traffic.
I have seen very little sign of this worm in interdomain multicast; it does not seem to be causing MSDP havoc the way that the RAMEN worm did.
Regards Marshall Eubanks
On Saturday, January 25, 2003, at 06:00 AM, lost@l-w.net wrote:
This one seemed to be particularly nasty as it was generating traffic to multicast addresses too. It caused a nice flood on the switched ethernet segment I had a vulnerable box on. (And took out a router in the process. Great fun.)
William Astle finger lost@l-w.net for further information
Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL++++$ P++ L+++ !E W++ !N w--- !O !M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?
T.M. Eubanks Multicast Technologies, Inc. 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@multicasttech.com http://www.multicasttech.com
Test your network for multicast : http://www.multicasttech.com/mt/ Status of Multicast on the Web : http://www.multicasttech.com/status/index.html
William Astle finger lost@l-w.net for further information Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL++++$ P++ L+++ !E W++ !N w--- !O !M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?