Re: Worm / UDP1434

["K. Scott Bethke" <kbethke () thruport com>]

David,

----- Original Message -----
From: "Freedman David" <David.Freedman () netscalibur co uk>
> Anybody here on list using Extreme products (Summit/Alpine/Blackdiamond)?
> They sure don't like this traffic one bit. It causes them to not only drop
> traffic, but spew out every available error message under the sun...

We use extremes in our core and it did not log much other than CPU issues:

01/25/2003 02:20.23 <INFO:SYST> task tNetTask cpu utilization is 88% PC:
80266eb4
01/25/2003 02:20.23 <CRIT:SYST> task tNetTask cpu utilization is 88% PC:
80266eb4

and...

01/25/2003 02:24.43 <INFO:SYST> task tNetTask cpu utilization is 93% PC:
80266eb4
01/25/2003 02:24.42 <CRIT:SYST> task tNetTask cpu utilization is 93% PC:
80266eb4

I did notice console messages while investigating the sources of the
traffic, but of course have no log of them now.  The switches stayed up the
whole time though (yay)

Also picked up some strange messages from one of the offenders:

01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376:
updateGroupSenderListPortMask: PTAGalloc 237.189.185.65/64.237.99.79
01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376:
updateGroupSenderListPortMask: PTAGalloc 237.137.210.243/64.237.99.79
01/25/2003 02:23.48 <WARN:IPRT> IGMP: snooping.c 376:
updateGroupSenderListPortMask: PTAGalloc 225.134.14.67/64.237.99.79

No idea yet what that is, though I assume it is coming from the monitor
port.

-Scotty