nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Second day of rolling blackouts starts

From: Jared Mauch <jared () puck Nether net>
Date: Sun, 21 Jan 2001 19:53:01 -0500

        Cisco is scheduled to have a patch for IOS 12.0(15)S that will
all you to limit the number of SA's received from a peer (similar to
prefix-limit on bgp session) from what I understand.

        You should talk to your cisco reps about that ability in
your software.

        - Jared

On Sun, Jan 21, 2001 at 03:16:37PM +0200, Hank Nussbacher wrote:


At 09:43 19/01/01 -0500, Marshall Eubanks wrote:


Two people have asked me off list about the RAMEN worm,
which affects Linux Redhat distro's. Here is brief description of the
worm, and a link to more,
from Lucy Lynch at Internet2 / UOregon.

The multicast implications :

This worm scans a portion of the multicast address space. These scans 
(packets)
are viewed as new multicast sources by a PIM multicast enabled router,
which encapsulates
them and sends them to its RP. The RP creates MSDP Session Announcements
FOR EACH SCAN
and floods them to every RP neighbor it has in "nearby" AS's, and those
repeat the process.
The result is a MSDP packet storm. We have gotten 15,000 SA's a minute.
Dealing with these
can melt down routers. (We had to reboot a Cisco 7204, for example,
which apparently either filled
up or fragmented its memory beyond usability.)

I think it is fair to say that the question of rate limiting and other
DOS filtering in
PIM/SSM/MSDP multicast is getting serious attention now.


I have installed on my multicast tunnels (one to StarTap and the other to 
Dante/Quantum):

rate-limit input access-group 180 128000 30000 30000 conform-action 
transmit exceed-action drop
!
access-list 180 permit tcp any any eq 639
access-list 180 permit udp any any eq 639
access-list 180 deny   ip any any

IANA has MSDP listed as port 639 - tcp+udp.  It appears MSDP is only really 
TCP:
mcast#sho access-l 180
Extended IP access list 180
     permit tcp any any eq 639 (1555 matches)
     permit udp any any eq 639
     deny ip any any (37888 matches)

and

mcast#sho in rate
Tunnel1 Mbone tunnel to Dante
   Input
     matches: access-group 180
       params:  128000 bps, 30000 limit, 30000 extended limit
       conformed 755 packets, 60044 bytes; action: transmit
       exceeded 0 packets, 0 bytes; action: drop
       last packet: 388ms ago, current burst: 0 bytes
       last cleared 00:07:26 ago, conformed 1000 bps, exceeded 0 bps
Tunnel2 Mbone tunnel to Startap
   Input
     matches: access-group 180
       params:  128000 bps, 30000 limit, 30000 extended limit
       conformed 909 packets, 148937 bytes; action: transmit
       exceeded 0 packets, 0 bytes; action: drop
       last packet: 1048ms ago, current burst: 0 bytes
       last cleared 00:08:48 ago, conformed 2000 bps, exceeded 0 bps

I'll only know tomorrow if I stop getting the constant:
Jan 21 14:00:03: %SYS-3-CPUHOG: Task ran for 6300 msec (123/75), process = 
MSDP Process, PC = 60790390. -Traceback= 60790398 604146B4 604146A0
error messages.  I don't know whether 128kb/sec of MSDP is too much or too 
little.

-Hank




Marshall Eubanks


"Lucy E. Lynch" wrote:


a bit more info on ramen here:

http://members.home.net/dtmartin24/ramen_worm.txt

"And now, the contents of that ramen.tgz file: All the binaries are in the
archive twice, with RedHat 6.2 and RedHat 7.0 versions. Numerous binaries
were not stripped, which makes the job of taking them apart easier."

asp:       An xinetd config. file that will start up the fake webserver
           Used on RedHat 7.0 victim machines.
asp62:     HTTP/0.9-compatible server that always serves out the file
           /tmp/ramen.tgz to any request - NOT stripped
asp7:      RedHat 7-compiled version - NOT stripped
bd62.sh:   Does the setup (installing wormserver, removing vulnerable
           programs, adding ftp users) for RedHat 6.2
bd7.sh:    Same for RedHat 7.0
getip.sh:  Utility script to get the main external IP address
hackl.sh:  Driver to read the .l file and pass addresses to lh.sh
hackw.sh:  Driver to read the .w file and pass addresses to wh.sh
index.html: HTML document text
l62:       LPRng format string exploit program - NOT stripped
l7:        Same but compiled for RedHat 7 - stripped
lh.sh:     Driver script to execute the LPRng exploit with several
           different options
randb62:   Picks a random class-B subnet to scan on - NOT stripped
randb7:    Same but compiled for RedHat 7 - NOT stripped
s62:       statdx exploit - NOT stripped
s7:        Same but compiled for RedHat 7 - stripped
scan.sh:   get a classB network from randb and run synscan
start.sh:  Replace any index.html with the one from the worm; run getip;
           determine if we're RedHat 6.2 or 7.0 and run the appropriate
           bd*.sh and start*.sh
start62.sh: start (backgrounded) scan.sh, hackl.sh, and hackw.sh
start7.sh:  Same as start62.sh
synscan62:  Modified synscan tool - records to .w and .l files - stripped
synscan7:   Same but compiled for RedHat 7 - stripped
w62:        venglin wu-ftpd exploit - stripped
w7:         Same but compiled for RedHat 7 - stripped
wh.sh:     Driver script to call the "s" and "w" binaries against a given
           target
wu62:      Apparently only included by mistake.  "strings" shows it to be
           very similar to w62; nowhere is this binary ever invoked.

Lucy E. Lynch                           Academic User Services
Computing Center                        University of Oregon
llynch () darkwing uoregon edu             (541) 346-1774
Cell: (541) 912-7998                    5419127998 () mobile att net




-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
END OF LINE  | Manager of IP networks built within my own home
Previous By Date Next
Previous By Thread Next

Current thread: