North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Second day of rolling blackouts starts

  • From: Marshall Eubanks
  • Date: Fri Jan 19 09:43:18 2001

Two people have asked me off list about the RAMEN worm,
which affects Linux Redhat distro's. Here is brief description of the
worm, and a link to more,
from Lucy Lynch at Internet2 / UOregon.

The multicast implications :

This worm scans a portion of the multicast address space. These scans (packets)
are viewed as new multicast sources by a PIM multicast enabled router,
which encapsulates
them and sends them to its RP. The RP creates MSDP Session Announcements
and floods them to every RP neighbor it has in "nearby" AS's, and those
repeat the process.
The result is a MSDP packet storm. We have gotten 15,000 SA's a minute.
Dealing with these
can melt down routers. (We had to reboot a Cisco 7204, for example,
which apparently either filled
up or fragmented its memory beyond usability.)

I think it is fair to say that the question of rate limiting and other
DOS filtering in
PIM/SSM/MSDP multicast is getting serious attention now.

Marshall Eubanks

"Lucy E. Lynch" wrote:
> a bit more info on ramen here:
> "And now, the contents of that ramen.tgz file: All the binaries are in the
> archive twice, with RedHat 6.2 and RedHat 7.0 versions. Numerous binaries
> were not stripped, which makes the job of taking them apart easier."
> asp:       An xinetd config. file that will start up the fake webserver
>            Used on RedHat 7.0 victim machines.
> asp62:     HTTP/0.9-compatible server that always serves out the file
>            /tmp/ramen.tgz to any request - NOT stripped
> asp7:      RedHat 7-compiled version - NOT stripped
>   Does the setup (installing wormserver, removing vulnerable
>            programs, adding ftp users) for RedHat 6.2
>    Same for RedHat 7.0
>  Utility script to get the main external IP address
>  Driver to read the .l file and pass addresses to
>  Driver to read the .w file and pass addresses to
> index.html: HTML document text
> l62:       LPRng format string exploit program - NOT stripped
> l7:        Same but compiled for RedHat 7 - stripped
>     Driver script to execute the LPRng exploit with several
>            different options
> randb62:   Picks a random class-B subnet to scan on - NOT stripped
> randb7:    Same but compiled for RedHat 7 - NOT stripped
> s62:       statdx exploit - NOT stripped
> s7:        Same but compiled for RedHat 7 - stripped
>   get a classB network from randb and run synscan
>  Replace any index.html with the one from the worm; run getip;
>            determine if we're RedHat 6.2 or 7.0 and run the appropriate
>            bd*.sh and start*.sh
> start (backgrounded),, and
>  Same as
> synscan62:  Modified synscan tool - records to .w and .l files - stripped
> synscan7:   Same but compiled for RedHat 7 - stripped
> w62:        venglin wu-ftpd exploit - stripped
> w7:         Same but compiled for RedHat 7 - stripped
>     Driver script to call the "s" and "w" binaries against a given
>            target
> wu62:      Apparently only included by mistake.  "strings" shows it to be
>            very similar to w62; nowhere is this binary ever invoked.
> Lucy E. Lynch                           Academic User Services
> Computing Center                        University of Oregon
> [email protected]             (541) 346-1774
> Cell: (541) 912-7998                    [email protected]