Re: Ramen worm scanner and multicast addresses

[Bill Owens <owens () NYSERNET ORG>]

On Wed, 17 Jan 2001, slim bones wrote:
> Of 1000 addresses
> about 60 were in the range you identify.  From what I've seen the
> worm would not discriminate against multicast addresses.
>
> In isolation the worm will try to scan a class B in 20-25 minutes,
> hitting only port 21.  Uncertain what effect if any that would have on
> MSDP.  What do you think?

I'm guessing a little bit here, based on what we've seen in the last few
days, but it appears that things are happening like this. When the worm
infects a machine that happens to be connected to a multicast-capable
network, nothing unusual occurs until the scanner hits a multicast address
range. Then the first SYN packet to a multicast address causes the nearest
router to generate a PIM register to the local Rendezvous Point (RP). The
RP creates an MSDP source-active message and floods that to its MSDP
peers, and from there throughout the multicast network. It isn't likely
that anyone has joined that multicast group, and in any case they'd only
receive the one TCP packet, but the flood of SAs is what causes the
problem.

Since a substantial fraction of the Internet2 network and related R&E nets
are now native multicast, the MSDP SAs go lots of places. The effect is
primarily to cause CPUHOG error messages on the Ciscos that are hit with
the MSDP storm, but they can also drop MSDP peers if things get bad
enough. And although Junipers don't appear to be directly affected by the
storm, their multicast connectivity may be hurt; I'm still researching
that on my own network.

There is a fix, putting rate limits on the MSDP SA messages. But it
requires upgrades for the Ciscos and config changes for the Junipers, so
it will be a while before everyone can have that in place. In the meantime
we're seeing several storms per day as more boxes are hit by the worm. . .

Bill.