New worm / port 1434?
Marshall Eubanks
tme at multicasttech.com
Sat Jan 25 17:18:15 UTC 2003
Dear Eric;
On Saturday, January 25, 2003, at 10:49 AM, Eric Gauthier wrote:
>
> Ok,
>
> I'm not sure if this helps at all. Our campus has two primary
> connections -
> the main Internet and something called Internet2. Internet2 has a
> routing
> table of order 10,000 routes and includes most top-tier research
> instituations
I would concur. worm is not attacking multicasting in general, but
seems to be generating multicast traffic.
For these two statements to make sense, the IP address scanning must be
very non random. This does not appear
to be the sort of consecutive address block scanning that the RAMEN worm
did.
(BTW, This AM we have 11052 I2 routes vs 116983 in all, or about 9.4% of
the total.)
Marshall
> in the US (and a few other places). By 1am this morning (Eastern US
> time),
> all of our Internet links saturated outbound but we didn't appear to
> see any
> noticable increase in our Internet2 bandwidth. I'm throwing this out
> there
> because it may indicate that the destinations for the traffic - though
> large -
> aren't completely random.
>
> Has anyone else seen this?
>
> Eric :)
>
> PS: Yep - we're a university and we're a source - big surprise
> there... I
> just filtered out our 200Mbps contribution to this problem in case
> you're
> curious...
>
Regards
Marshall Eubanks
This e-mail may contain confidential and proprietary information of
Multicast Technologies, Inc, subject to Non-Disclosure Agreements
T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624 Fax : 703-293-9609
e-mail : tme at multicasttech.com
http://www.multicasttech.com
Test your network for multicast :
http://www.multicasttech.com/mt/
Status of Multicast on the Web :
http://www.multicasttech.com/status/index.html
More information about the NANOG
mailing list