On Sat, 25 Jan 2003, Marshall Eubanks wrote: > Can you give me any information about which multicast group addresses > were being attacked ?
I didn't have any logging turned on at the time so I don't have the addresses laying around. I just remember I had a storm of traffic trying to go to addresses between 224.x.x.x and 247.x.x.x - the addresses looked fairly random though. It may have been just a result of whatever random address algorithm was being used. Since I don't route multicast, it stayed local to the network segment but every host on the segment saw the traffic. > I have seen very little sign of this worm in interdomain multicast; it > does not seem > to be causing MSDP havoc the way that the RAMEN worm did. > > Regards > Marshall Eubanks > > > On Saturday, January 25, 2003, at 06:00 AM, [EMAIL PROTECTED] wrote: > > > > > This one seemed to be particularly nasty as it was generating traffic to > > multicast addresses too. It caused a nice flood on the switched ethernet > > segment I had a vulnerable box on. (And took out a router in the > > process. > > Great fun.) > > > > William Astle > > finger [EMAIL PROTECTED] for further information > > > > Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL++++$ P++ L+++ !E W++ !N > > w--- !O > > !M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y? > > > > > T.M. Eubanks > Multicast Technologies, Inc. > 10301 Democracy Lane, Suite 410 > Fairfax, Virginia 22030 > Phone : 703-293-9624 Fax : 703-293-9609 > e-mail : [EMAIL PROTECTED] > http://www.multicasttech.com > > Test your network for multicast : > http://www.multicasttech.com/mt/ > Status of Multicast on the Web : > http://www.multicasttech.com/status/index.html > William Astle finger [EMAIL PROTECTED] for further information Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL++++$ P++ L+++ !E W++ !N w--- !O !M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?