Re: New worm / port 1434?

[lost () l-w net]

On Sat, 25 Jan 2003, Marshall Eubanks wrote:

> Can you give me any information about which multicast group addresses
> were being attacked ?

I didn't have any logging turned on at the time so I don't have the
addresses laying around. I just remember I had a storm of traffic trying
to go to addresses between 224.x.x.x and 247.x.x.x - the addresses looked
fairly random though. It may have been just a result of whatever random
address algorithm was being used. Since I don't route multicast, it stayed
local to the network segment but every host on the segment saw the
traffic.

> I have seen very little sign of this worm in interdomain multicast; it
> does not seem
> to be causing MSDP havoc the way that the RAMEN worm did.
>
>                                   Regards
>                                   Marshall Eubanks
>
>
> On Saturday, January 25, 2003, at 06:00  AM, lost () l-w net wrote:
>
> > This one seemed to be particularly nasty as it was generating traffic to
> > multicast addresses too. It caused a nice flood on the switched ethernet
> > segment I had a vulnerable box on.  (And took out a router in the
> > process.
> > Great fun.)
> >
> > William Astle
> > finger lost () l-w net for further information
> >
> > Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL++++$ P++ L+++ !E W++ !N
> > w--- !O
> > !M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?
>
>
> T.M. Eubanks
> Multicast Technologies, Inc.
> 10301 Democracy Lane, Suite 410
> Fairfax, Virginia 22030
> Phone : 703-293-9624       Fax     : 703-293-9609
> e-mail : tme () multicasttech com
> http://www.multicasttech.com
>
> Test your network for multicast :
> http://www.multicasttech.com/mt/
>   Status of Multicast on the Web  :
>   http://www.multicasttech.com/status/index.html

William Astle
finger lost () l-w net for further information

Geek Code V3.12: GCS/M/S d- s+:+ !a C++ UL++++$ P++ L+++ !E W++ !N w--- !O
!M PS PE V-- Y+ PGP t+@ 5++ X !R tv+@ b+++@ !DI D? G e++ h+ y?