[55140] in North American Network Operators' Group
Re: New worm / port 1434?
daemon@ATHENA.MIT.EDU (Marshall Eubanks)
Sat Jan 25 12:58:40 2003
Date: Sat, 25 Jan 2003 12:18:15 -0500
Cc: nanog@merit.edu
To: Eric Gauthier <eric@roxanne.org>
From: Marshall Eubanks <tme@multicasttech.com>
In-Reply-To: <20030125104901.A31354@roxanne.org>
Errors-To: owner-nanog-outgoing@merit.edu
Dear Eric;
On Saturday, January 25, 2003, at 10:49 AM, Eric Gauthier wrote:
>
> Ok,
>
> I'm not sure if this helps at all. Our campus has two primary
> connections -
> the main Internet and something called Internet2. Internet2 has a
> routing
> table of order 10,000 routes and includes most top-tier research
> instituations
I would concur. worm is not attacking multicasting in general, but
seems to be generating multicast traffic.
For these two statements to make sense, the IP address scanning must be
very non random. This does not appear
to be the sort of consecutive address block scanning that the RAMEN worm
did.
(BTW, This AM we have 11052 I2 routes vs 116983 in all, or about 9.4% of
the total.)
Marshall
> in the US (and a few other places). By 1am this morning (Eastern US
> time),
> all of our Internet links saturated outbound but we didn't appear to
> see any
> noticable increase in our Internet2 bandwidth. I'm throwing this out
> there
> because it may indicate that the destinations for the traffic - though
> large -
> aren't completely random.
>
> Has anyone else seen this?
>
> Eric :)
>
> PS: Yep - we're a university and we're a source - big surprise
> there... I
> just filtered out our 200Mbps contribution to this problem in case
> you're
> curious...
>
Regards
Marshall Eubanks
This e-mail may contain confidential and proprietary information of
Multicast Technologies, Inc, subject to Non-Disclosure Agreements
T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624 Fax : 703-293-9609
e-mail : tme@multicasttech.com
http://www.multicasttech.com
Test your network for multicast :
http://www.multicasttech.com/mt/
Status of Multicast on the Web :
http://www.multicasttech.com/status/index.html
