Re: Ramen worm scanner and multicast addresses

[slim bones <slim () io com>]

On Wed, Jan 17, 2001 at 04:51:27PM -0500, Bill Owens wrote:
> Could someone who's seen the ramen worm in action check to see if it
> scans the multicast address range (224.0.0.0 - 239.255.255.255)? I
> suspect it may be  causing a rash of Multicast Source Discovery
> Protocol (MSDP) storms that started early this week.

Howdy,

Ramen uses a binary called randb to generate class B nets to scan.  I
just made it generate 1000 of these, they appear to be reasonably
scattered... however the first byte of the IP address was never less
than 13 nor greater than 242.  Between those, addresses are fairly
evenly dispersed considering the small sample size.  Of 1000 addresses
about 60 were in the range you identify.  From what I've seen the
worm would not discriminate against multicast addresses.

In isolation the worm will try to scan a class B in 20-25 minutes,
hitting only port 21.  Uncertain what effect if any that would have on
MSDP.  What do you think?

hth,
s.b

PS a mirror of a defaced web page at jpl -- html matches what's in
the ramen worm index.html...

http://www.attrition.org/mirror/attrition/2001/01/15/uta7400.jpl.nasa.gov/