nanog mailing list archives

Re: New worm / port 1434?


From: Marshall Eubanks <tme () multicasttech com>
Date: Sat, 25 Jan 2003 12:18:15 -0500


Dear Eric;

On Saturday, January 25, 2003, at 10:49  AM, Eric Gauthier wrote:


Ok,

I'm not sure if this helps at all. Our campus has two primary connections - the main Internet and something called Internet2. Internet2 has a routing table of order 10,000 routes and includes most top-tier research instituations

I would concur. worm is not attacking multicasting in general, but seems to be generating multicast traffic. For these two statements to make sense, the IP address scanning must be very non random. This does not appear to be the sort of consecutive address block scanning that the RAMEN worm did.

(BTW, This AM we have 11052 I2 routes vs 116983 in all, or about 9.4% of the total.)

Marshall

in the US (and a few other places). By 1am this morning (Eastern US time), all of our Internet links saturated outbound but we didn't appear to see any noticable increase in our Internet2 bandwidth. I'm throwing this out there because it may indicate that the destinations for the traffic - though large -
aren't completely random.

Has anyone else seen this?

Eric :)

PS: Yep - we're a university and we're a source - big surprise there... I just filtered out our 200Mbps contribution to this problem in case you're
curious...

                                 Regards
                                 Marshall Eubanks

This e-mail may contain confidential and proprietary information of
Multicast Technologies, Inc, subject to Non-Disclosure Agreements

T.M. Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624       Fax     : 703-293-9609
e-mail : tme () multicasttech com
http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
 Status of Multicast on the Web  :
 http://www.multicasttech.com/status/index.html


Current thread: