Microsoft SOHO router multicast problem? - or maybe it's just doing what it's supposed to be doing...
Mark Radabaugh
mark at amplex.net
Fri Apr 15 07:47:02 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chance Whaley wrote:
| Sorry about that. Didn't look in detail. Saw the UDP port 6257 and
| stopped.
|
| The mcast is coming from someplace upstream from
| fastethernet-0-0.genoa-gw.amplex.net (that is if I did my mcast
| MAC to mcast IP conversion right). Without knowing your topology
| and seeing more traffic it's kinda hard to figure out.
|
|
| If you want to send more traffic captures I will be happy to look
| at them.
|
| .chance
|
The destination mac address the routers start using is
01:00:5e:76:6c:7e. The 01:00:5e is the ethernet multicast header.
The 76:6c:7e is supposed to be the lower 23 bits of the Ethernet
multicast address - which translates to 118.108.126. With the 23
bits from the multicast spec for encoding the IP address 118 is the
correct conversion of 246 with the high bit stripped off.
The gateway on this subnet is 64.246.108.126 (netmask is 255.255.255.0
but originally was .128 - hence the odd spot for the gateway).
The routers decided to convert a mangled unicast packet to a multicast
packet - for them to then loop on it is even stranger. It makes for a
pretty good DOS attack. 2 or more of these routers in a broadcast
domain can get ugly in a hurry.
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCX3F2g0PQSWMG2wsRAhYaAKCDeTpKF1QuDhX82rQIOpPTQW4xwACggXhd
uHRnFxzmWbrfHSvZGS9ljrs=
=IcaN
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list