[nsp] multicast questions

Danny McPherson danny at tcb.net
Sun May 9 12:22:07 EDT 2004


On May 9, 2004, at 6:31 AM, Niels Bakker wrote:

>
> Configuring dense-mode in an ISP environment has proven to be 
> suboptimal
> in practice.  Hosts sending data to lots of multicast addresses creates
> state throughout your network.  A few big operators were impacted 
> pretty
> heavily when Slammer first came out (I think later worms had some basic
> intelligence in their network number generators to exclude 224/4).

Actually, Ramen (circa 1/2001) was the first worm that resulted in an
observed amount of collateral damage to the global multicast 
infrastructure,
resulting in lots of multicast state and MSDP SA churn.  As such, some
rate-limiters in MSDP SA announcements have since been added, and
several other tweaks to help combat this.  Of course, this is control
plane stuff for multicast (akin to BGP for unicast), the inherent 
dangers
perhaps reside more so in the data plane.

Unfortunately, newer worms are similarly broken (or effective?) in that
their scanning/propagation vectors still check multicast space - e.g., 
Sasser
last week resulted in this very same issue, as well as many of it's
predecessors.  Of course, some worm authors have taken heed to the
recommended post-analysis scanning optimizations...

-danny



More information about the cisco-nsp mailing list