Second day of rolling blackouts starts
Jared Mauch
jared at puck.Nether.net
Mon Jan 22 00:53:01 UTC 2001
Cisco is scheduled to have a patch for IOS 12.0(15)S that will
all you to limit the number of SA's received from a peer (similar to
prefix-limit on bgp session) from what I understand.
You should talk to your cisco reps about that ability in
your software.
- Jared
On Sun, Jan 21, 2001 at 03:16:37PM +0200, Hank Nussbacher wrote:
>
> At 09:43 19/01/01 -0500, Marshall Eubanks wrote:
>
> >Two people have asked me off list about the RAMEN worm,
> >which affects Linux Redhat distro's. Here is brief description of the
> >worm, and a link to more,
> >from Lucy Lynch at Internet2 / UOregon.
> >
> >The multicast implications :
> >
> >This worm scans a portion of the multicast address space. These scans
> >(packets)
> >are viewed as new multicast sources by a PIM multicast enabled router,
> >which encapsulates
> >them and sends them to its RP. The RP creates MSDP Session Announcements
> >FOR EACH SCAN
> >and floods them to every RP neighbor it has in "nearby" AS's, and those
> >repeat the process.
> >The result is a MSDP packet storm. We have gotten 15,000 SA's a minute.
> >Dealing with these
> >can melt down routers. (We had to reboot a Cisco 7204, for example,
> >which apparently either filled
> >up or fragmented its memory beyond usability.)
> >
> >I think it is fair to say that the question of rate limiting and other
> >DOS filtering in
> >PIM/SSM/MSDP multicast is getting serious attention now.
>
> I have installed on my multicast tunnels (one to StarTap and the other to
> Dante/Quantum):
>
> rate-limit input access-group 180 128000 30000 30000 conform-action
> transmit exceed-action drop
> !
> access-list 180 permit tcp any any eq 639
> access-list 180 permit udp any any eq 639
> access-list 180 deny ip any any
>
> IANA has MSDP listed as port 639 - tcp+udp. It appears MSDP is only really
> TCP:
> mcast#sho access-l 180
> Extended IP access list 180
> permit tcp any any eq 639 (1555 matches)
> permit udp any any eq 639
> deny ip any any (37888 matches)
>
> and
>
> mcast#sho in rate
> Tunnel1 Mbone tunnel to Dante
> Input
> matches: access-group 180
> params: 128000 bps, 30000 limit, 30000 extended limit
> conformed 755 packets, 60044 bytes; action: transmit
> exceeded 0 packets, 0 bytes; action: drop
> last packet: 388ms ago, current burst: 0 bytes
> last cleared 00:07:26 ago, conformed 1000 bps, exceeded 0 bps
> Tunnel2 Mbone tunnel to Startap
> Input
> matches: access-group 180
> params: 128000 bps, 30000 limit, 30000 extended limit
> conformed 909 packets, 148937 bytes; action: transmit
> exceeded 0 packets, 0 bytes; action: drop
> last packet: 1048ms ago, current burst: 0 bytes
> last cleared 00:08:48 ago, conformed 2000 bps, exceeded 0 bps
>
> I'll only know tomorrow if I stop getting the constant:
> Jan 21 14:00:03: %SYS-3-CPUHOG: Task ran for 6300 msec (123/75), process =
> MSDP Process, PC = 60790390. -Traceback= 60790398 604146B4 604146A0
> error messages. I don't know whether 128kb/sec of MSDP is too much or too
> little.
>
> -Hank
>
>
>
> >Marshall Eubanks
> >
> >
> >"Lucy E. Lynch" wrote:
> > >
> > > a bit more info on ramen here:
> > >
> > > http://members.home.net/dtmartin24/ramen_worm.txt
> > >
> > > "And now, the contents of that ramen.tgz file: All the binaries are in the
> > > archive twice, with RedHat 6.2 and RedHat 7.0 versions. Numerous binaries
> > > were not stripped, which makes the job of taking them apart easier."
> > >
> > > asp: An xinetd config. file that will start up the fake webserver
> > > Used on RedHat 7.0 victim machines.
> > > asp62: HTTP/0.9-compatible server that always serves out the file
> > > /tmp/ramen.tgz to any request - NOT stripped
> > > asp7: RedHat 7-compiled version - NOT stripped
> > > bd62.sh: Does the setup (installing wormserver, removing vulnerable
> > > programs, adding ftp users) for RedHat 6.2
> > > bd7.sh: Same for RedHat 7.0
> > > getip.sh: Utility script to get the main external IP address
> > > hackl.sh: Driver to read the .l file and pass addresses to lh.sh
> > > hackw.sh: Driver to read the .w file and pass addresses to wh.sh
> > > index.html: HTML document text
> > > l62: LPRng format string exploit program - NOT stripped
> > > l7: Same but compiled for RedHat 7 - stripped
> > > lh.sh: Driver script to execute the LPRng exploit with several
> > > different options
> > > randb62: Picks a random class-B subnet to scan on - NOT stripped
> > > randb7: Same but compiled for RedHat 7 - NOT stripped
> > > s62: statdx exploit - NOT stripped
> > > s7: Same but compiled for RedHat 7 - stripped
> > > scan.sh: get a classB network from randb and run synscan
> > > start.sh: Replace any index.html with the one from the worm; run getip;
> > > determine if we're RedHat 6.2 or 7.0 and run the appropriate
> > > bd*.sh and start*.sh
> > > start62.sh: start (backgrounded) scan.sh, hackl.sh, and hackw.sh
> > > start7.sh: Same as start62.sh
> > > synscan62: Modified synscan tool - records to .w and .l files - stripped
> > > synscan7: Same but compiled for RedHat 7 - stripped
> > > w62: venglin wu-ftpd exploit - stripped
> > > w7: Same but compiled for RedHat 7 - stripped
> > > wh.sh: Driver script to call the "s" and "w" binaries against a given
> > > target
> > > wu62: Apparently only included by mistake. "strings" shows it to be
> > > very similar to w62; nowhere is this binary ever invoked.
> > >
> > > Lucy E. Lynch Academic User Services
> > > Computing Center University of Oregon
> > > llynch at darkwing.uoregon.edu (541) 346-1774
> > > Cell: (541) 912-7998 5419127998 at mobile.att.net
>
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
END OF LINE | Manager of IP networks built within my own home
More information about the NANOG
mailing list