New worm / port 1434?
lost at l-w.net
lost at l-w.net
Sat Jan 25 16:28:00 UTC 2003
On Sat, 25 Jan 2003, Marshall Eubanks wrote:
> Can you give me any information about which multicast group addresses
> were being attacked ?
I didn't have any logging turned on at the time so I don't have the
addresses laying around. I just remember I had a storm of traffic trying
to go to addresses between 224.x.x.x and 247.x.x.x - the addresses looked
fairly random though. It may have been just a result of whatever random
address algorithm was being used. Since I don't route multicast, it stayed
local to the network segment but every host on the segment saw the
traffic.
> I have seen very little sign of this worm in interdomain multicast; it
> does not seem
> to be causing MSDP havoc the way that the RAMEN worm did.
>
> Regards
> Marshall Eubanks
>
>
> On Saturday, January 25, 2003, at 06:00 AM, lost at l-w.net wrote:
>
> >
> > This one seemed to be particularly nasty as it was generating traffic to
> > multicast addresses too. It caused a nice flood on the switched ethernet
> > segment I had a vulnerable box on. (And took out a router in the
> > process.
> > Great fun.)
> >
> > William Astle
> > finger lost at l-w.net for further information
> >
> > Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL++++$ P++ L+++ !E W++ !N
> > w--- !O
> > !M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?
> >
>
>
> T.M. Eubanks
> Multicast Technologies, Inc.
> 10301 Democracy Lane, Suite 410
> Fairfax, Virginia 22030
> Phone : 703-293-9624 Fax : 703-293-9609
> e-mail : tme at multicasttech.com
> http://www.multicasttech.com
>
> Test your network for multicast :
> http://www.multicasttech.com/mt/
> Status of Multicast on the Web :
> http://www.multicasttech.com/status/index.html
>
William Astle
finger lost at l-w.net for further information
Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL++++$ P++ L+++ !E W++ !N w--- !O
!M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?
More information about the NANOG
mailing list