North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Second day of rolling blackouts starts

  • From: Jared Mauch
  • Date: Sun Jan 21 19:53:01 2001

	Cisco is scheduled to have a patch for IOS 12.0(15)S that will
all you to limit the number of SA's received from a peer (similar to
prefix-limit on bgp session) from what I understand.

	You should talk to your cisco reps about that ability in
your software.

	- Jared

On Sun, Jan 21, 2001 at 03:16:37PM +0200, Hank Nussbacher wrote:
> 
> At 09:43 19/01/01 -0500, Marshall Eubanks wrote:
> 
> >Two people have asked me off list about the RAMEN worm,
> >which affects Linux Redhat distro's. Here is brief description of the
> >worm, and a link to more,
> >from Lucy Lynch at Internet2 / UOregon.
> >
> >The multicast implications :
> >
> >This worm scans a portion of the multicast address space. These scans 
> >(packets)
> >are viewed as new multicast sources by a PIM multicast enabled router,
> >which encapsulates
> >them and sends them to its RP. The RP creates MSDP Session Announcements
> >FOR EACH SCAN
> >and floods them to every RP neighbor it has in "nearby" AS's, and those
> >repeat the process.
> >The result is a MSDP packet storm. We have gotten 15,000 SA's a minute.
> >Dealing with these
> >can melt down routers. (We had to reboot a Cisco 7204, for example,
> >which apparently either filled
> >up or fragmented its memory beyond usability.)
> >
> >I think it is fair to say that the question of rate limiting and other
> >DOS filtering in
> >PIM/SSM/MSDP multicast is getting serious attention now.
> 
> I have installed on my multicast tunnels (one to StarTap and the other to 
> Dante/Quantum):
> 
> rate-limit input access-group 180 128000 30000 30000 conform-action 
> transmit exceed-action drop
> !
> access-list 180 permit tcp any any eq 639
> access-list 180 permit udp any any eq 639
> access-list 180 deny   ip any any
> 
> IANA has MSDP listed as port 639 - tcp+udp.  It appears MSDP is only really 
> TCP:
> mcast#sho access-l 180
> Extended IP access list 180
>      permit tcp any any eq 639 (1555 matches)
>      permit udp any any eq 639
>      deny ip any any (37888 matches)
> 
> and
> 
> mcast#sho in rate
> Tunnel1 Mbone tunnel to Dante
>    Input
>      matches: access-group 180
>        params:  128000 bps, 30000 limit, 30000 extended limit
>        conformed 755 packets, 60044 bytes; action: transmit
>        exceeded 0 packets, 0 bytes; action: drop
>        last packet: 388ms ago, current burst: 0 bytes
>        last cleared 00:07:26 ago, conformed 1000 bps, exceeded 0 bps
> Tunnel2 Mbone tunnel to Startap
>    Input
>      matches: access-group 180
>        params:  128000 bps, 30000 limit, 30000 extended limit
>        conformed 909 packets, 148937 bytes; action: transmit
>        exceeded 0 packets, 0 bytes; action: drop
>        last packet: 1048ms ago, current burst: 0 bytes
>        last cleared 00:08:48 ago, conformed 2000 bps, exceeded 0 bps
> 
> I'll only know tomorrow if I stop getting the constant:
> Jan 21 14:00:03: %SYS-3-CPUHOG: Task ran for 6300 msec (123/75), process = 
> MSDP Process, PC = 60790390. -Traceback= 60790398 604146B4 604146A0
> error messages.  I don't know whether 128kb/sec of MSDP is too much or too 
> little.
> 
> -Hank
> 
> 
> 
> >Marshall Eubanks
> >
> >
> >"Lucy E. Lynch" wrote:
> > >
> > > a bit more info on ramen here:
> > >
> > > http://members.home.net/dtmartin24/ramen_worm.txt
> > >
> > > "And now, the contents of that ramen.tgz file: All the binaries are in the
> > > archive twice, with RedHat 6.2 and RedHat 7.0 versions. Numerous binaries
> > > were not stripped, which makes the job of taking them apart easier."
> > >
> > > asp:       An xinetd config. file that will start up the fake webserver
> > >            Used on RedHat 7.0 victim machines.
> > > asp62:     HTTP/0.9-compatible server that always serves out the file
> > >            /tmp/ramen.tgz to any request - NOT stripped
> > > asp7:      RedHat 7-compiled version - NOT stripped
> > > bd62.sh:   Does the setup (installing wormserver, removing vulnerable
> > >            programs, adding ftp users) for RedHat 6.2
> > > bd7.sh:    Same for RedHat 7.0
> > > getip.sh:  Utility script to get the main external IP address
> > > hackl.sh:  Driver to read the .l file and pass addresses to lh.sh
> > > hackw.sh:  Driver to read the .w file and pass addresses to wh.sh
> > > index.html: HTML document text
> > > l62:       LPRng format string exploit program - NOT stripped
> > > l7:        Same but compiled for RedHat 7 - stripped
> > > lh.sh:     Driver script to execute the LPRng exploit with several
> > >            different options
> > > randb62:   Picks a random class-B subnet to scan on - NOT stripped
> > > randb7:    Same but compiled for RedHat 7 - NOT stripped
> > > s62:       statdx exploit - NOT stripped
> > > s7:        Same but compiled for RedHat 7 - stripped
> > > scan.sh:   get a classB network from randb and run synscan
> > > start.sh:  Replace any index.html with the one from the worm; run getip;
> > >            determine if we're RedHat 6.2 or 7.0 and run the appropriate
> > >            bd*.sh and start*.sh
> > > start62.sh: start (backgrounded) scan.sh, hackl.sh, and hackw.sh
> > > start7.sh:  Same as start62.sh
> > > synscan62:  Modified synscan tool - records to .w and .l files - stripped
> > > synscan7:   Same but compiled for RedHat 7 - stripped
> > > w62:        venglin wu-ftpd exploit - stripped
> > > w7:         Same but compiled for RedHat 7 - stripped
> > > wh.sh:     Driver script to call the "s" and "w" binaries against a given
> > >            target
> > > wu62:      Apparently only included by mistake.  "strings" shows it to be
> > >            very similar to w62; nowhere is this binary ever invoked.
> > >
> > > Lucy E. Lynch                           Academic User Services
> > > Computing Center                        University of Oregon
> > > [email protected]             (541) 346-1774
> > > Cell: (541) 912-7998                    [email protected]
> 

-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
END OF LINE  | Manager of IP networks built within my own home