[55157] in North American Network Operators' Group
Re: Worm / UDP1434
daemon@ATHENA.MIT.EDU (K. Scott Bethke)
Sat Jan 25 14:36:57 2003
From: "K. Scott Bethke" <kbethke@thruport.com>
To: "Freedman David" <David.Freedman@netscalibur.co.uk>,
<nanog@nanog.org>
Date: Sat, 25 Jan 2003 13:02:08 -0500
Errors-To: owner-nanog-outgoing@merit.edu
David,
----- Original Message -----
From: "Freedman David" <David.Freedman@netscalibur.co.uk>
> Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)?
> They sure don't like this traffic one bit. It causes them to not only drop
> traffic, but spew out every available error message under the sun...
We use extremes in our core and it did not log much other than CPU issues:
01/25/2003 02:20.23 <INFO:SYST> task tNetTask cpu utilization is 88% PC:
80266eb4
01/25/2003 02:20.23 <CRIT:SYST> task tNetTask cpu utilization is 88% PC:
80266eb4
and...
01/25/2003 02:24.43 <INFO:SYST> task tNetTask cpu utilization is 93% PC:
80266eb4
01/25/2003 02:24.42 <CRIT:SYST> task tNetTask cpu utilization is 93% PC:
80266eb4
I did notice console messages while investigating the sources of the
traffic, but of course have no log of them now. The switches stayed up the
whole time though (yay)
Also picked up some strange messages from one of the offenders:
01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376:
updateGroupSenderListPortMask: PTAGalloc 237.189.185.65/64.237.99.79
01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376:
updateGroupSenderListPortMask: PTAGalloc 237.137.210.243/64.237.99.79
01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376:
updateGroupSenderListPortMask: PTAGalloc 225.134.14.67/64.237.99.79
No idea yet what that is, though I assume it is coming from the monitor
port.
-Scotty
