North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Second day of rolling blackouts starts
Cisco is scheduled to have a patch for IOS 12.0(15)S that will all you to limit the number of SA's received from a peer (similar to prefix-limit on bgp session) from what I understand. You should talk to your cisco reps about that ability in your software. - Jared On Sun, Jan 21, 2001 at 03:16:37PM +0200, Hank Nussbacher wrote: > > At 09:43 19/01/01 -0500, Marshall Eubanks wrote: > > >Two people have asked me off list about the RAMEN worm, > >which affects Linux Redhat distro's. Here is brief description of the > >worm, and a link to more, > >from Lucy Lynch at Internet2 / UOregon. > > > >The multicast implications : > > > >This worm scans a portion of the multicast address space. These scans > >(packets) > >are viewed as new multicast sources by a PIM multicast enabled router, > >which encapsulates > >them and sends them to its RP. The RP creates MSDP Session Announcements > >FOR EACH SCAN > >and floods them to every RP neighbor it has in "nearby" AS's, and those > >repeat the process. > >The result is a MSDP packet storm. We have gotten 15,000 SA's a minute. > >Dealing with these > >can melt down routers. (We had to reboot a Cisco 7204, for example, > >which apparently either filled > >up or fragmented its memory beyond usability.) > > > >I think it is fair to say that the question of rate limiting and other > >DOS filtering in > >PIM/SSM/MSDP multicast is getting serious attention now. > > I have installed on my multicast tunnels (one to StarTap and the other to > Dante/Quantum): > > rate-limit input access-group 180 128000 30000 30000 conform-action > transmit exceed-action drop > ! > access-list 180 permit tcp any any eq 639 > access-list 180 permit udp any any eq 639 > access-list 180 deny ip any any > > IANA has MSDP listed as port 639 - tcp+udp. It appears MSDP is only really > TCP: > mcast#sho access-l 180 > Extended IP access list 180 > permit tcp any any eq 639 (1555 matches) > permit udp any any eq 639 > deny ip any any (37888 matches) > > and > > mcast#sho in rate > Tunnel1 Mbone tunnel to Dante > Input > matches: access-group 180 > params: 128000 bps, 30000 limit, 30000 extended limit > conformed 755 packets, 60044 bytes; action: transmit > exceeded 0 packets, 0 bytes; action: drop > last packet: 388ms ago, current burst: 0 bytes > last cleared 00:07:26 ago, conformed 1000 bps, exceeded 0 bps > Tunnel2 Mbone tunnel to Startap > Input > matches: access-group 180 > params: 128000 bps, 30000 limit, 30000 extended limit > conformed 909 packets, 148937 bytes; action: transmit > exceeded 0 packets, 0 bytes; action: drop > last packet: 1048ms ago, current burst: 0 bytes > last cleared 00:08:48 ago, conformed 2000 bps, exceeded 0 bps > > I'll only know tomorrow if I stop getting the constant: > Jan 21 14:00:03: %SYS-3-CPUHOG: Task ran for 6300 msec (123/75), process = > MSDP Process, PC = 60790390. -Traceback= 60790398 604146B4 604146A0 > error messages. I don't know whether 128kb/sec of MSDP is too much or too > little. > > -Hank > > > > >Marshall Eubanks > > > > > >"Lucy E. Lynch" wrote: > > > > > > a bit more info on ramen here: > > > > > > http://members.home.net/dtmartin24/ramen_worm.txt > > > > > > "And now, the contents of that ramen.tgz file: All the binaries are in the > > > archive twice, with RedHat 6.2 and RedHat 7.0 versions. Numerous binaries > > > were not stripped, which makes the job of taking them apart easier." > > > > > > asp: An xinetd config. file that will start up the fake webserver > > > Used on RedHat 7.0 victim machines. > > > asp62: HTTP/0.9-compatible server that always serves out the file > > > /tmp/ramen.tgz to any request - NOT stripped > > > asp7: RedHat 7-compiled version - NOT stripped > > > bd62.sh: Does the setup (installing wormserver, removing vulnerable > > > programs, adding ftp users) for RedHat 6.2 > > > bd7.sh: Same for RedHat 7.0 > > > getip.sh: Utility script to get the main external IP address > > > hackl.sh: Driver to read the .l file and pass addresses to lh.sh > > > hackw.sh: Driver to read the .w file and pass addresses to wh.sh > > > index.html: HTML document text > > > l62: LPRng format string exploit program - NOT stripped > > > l7: Same but compiled for RedHat 7 - stripped > > > lh.sh: Driver script to execute the LPRng exploit with several > > > different options > > > randb62: Picks a random class-B subnet to scan on - NOT stripped > > > randb7: Same but compiled for RedHat 7 - NOT stripped > > > s62: statdx exploit - NOT stripped > > > s7: Same but compiled for RedHat 7 - stripped > > > scan.sh: get a classB network from randb and run synscan > > > start.sh: Replace any index.html with the one from the worm; run getip; > > > determine if we're RedHat 6.2 or 7.0 and run the appropriate > > > bd*.sh and start*.sh > > > start62.sh: start (backgrounded) scan.sh, hackl.sh, and hackw.sh > > > start7.sh: Same as start62.sh > > > synscan62: Modified synscan tool - records to .w and .l files - stripped > > > synscan7: Same but compiled for RedHat 7 - stripped > > > w62: venglin wu-ftpd exploit - stripped > > > w7: Same but compiled for RedHat 7 - stripped > > > wh.sh: Driver script to call the "s" and "w" binaries against a given > > > target > > > wu62: Apparently only included by mistake. "strings" shows it to be > > > very similar to w62; nowhere is this binary ever invoked. > > > > > > Lucy E. Lynch Academic User Services > > > Computing Center University of Oregon > > > [email protected] (541) 346-1774 > > > Cell: (541) 912-7998 [email protected] > -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home
|