Security Incidents mailing list archives
Re: Ramen worm scanner and multicast addresses
From: slim bones <slim () io com>
Date: Wed, 17 Jan 2001 18:41:49 -0600
On Wed, Jan 17, 2001 at 04:51:27PM -0500, Bill Owens wrote:
Could someone who's seen the ramen worm in action check to see if it scans the multicast address range (224.0.0.0 - 239.255.255.255)? I suspect it may be causing a rash of Multicast Source Discovery Protocol (MSDP) storms that started early this week.
Howdy, Ramen uses a binary called randb to generate class B nets to scan. I just made it generate 1000 of these, they appear to be reasonably scattered... however the first byte of the IP address was never less than 13 nor greater than 242. Between those, addresses are fairly evenly dispersed considering the small sample size. Of 1000 addresses about 60 were in the range you identify. From what I've seen the worm would not discriminate against multicast addresses. In isolation the worm will try to scan a class B in 20-25 minutes, hitting only port 21. Uncertain what effect if any that would have on MSDP. What do you think? hth, s.b PS a mirror of a defaced web page at jpl -- html matches what's in the ramen worm index.html... http://www.attrition.org/mirror/attrition/2001/01/15/uta7400.jpl.nasa.gov/
Current thread:
- Ramen worm scanner and multicast addresses Bill Owens (Jan 17)
- Re: Ramen worm scanner and multicast addresses slim bones (Jan 17)
- Re: Ramen worm scanner and multicast addresses Daniel Martin (Jan 17)
- Re: Ramen worm scanner and multicast addresses Bill Owens (Jan 17)
- Re: Ramen worm scanner and multicast addresses slim bones (Jan 17)