Date: Mon, 22 Jan 2001 12:46:56 -0500 To: lwn@lwn.net From: Bill Owens <owens@nysernet.org> Subject: The real damage of the ramen worm Although most of the stories about it claim that the ramen worm is largely harmless, it is in fact doing damage to several networks that carry native multicast traffic. The worst-affected is the Abilene network <http://www.ucaid.edu/abilene>. For the past 9 days, ever since ramen began to spread in earnest, the multicast networks have been hit by repeated storms of routing traffic caused by ramen-infected machines. The worm has a sloppily written routine to randomly choose a /16 network block to scan. That routine can choose network prefixes in the range 224.0.0.0 - 242.0.0.0, a set of addresses reserved for multicast traffic. Each scan packet then causes the generation of a Multicast Source Distribution Protocol (MSDP) Source Availability message. Unfortunately the scanner being used is very efficient and can cover a /16 in about 15 minutes, generating 65000 SA messages. The SA messages are flooded throughout the multicast backbone and the resulting load on the routers has caused degradation of both multicast and unicast connectivity. To see the storms graphically you can use the CAIDA Mantra project's MSDP monitor page <http://www.caida.org/tools/measurement/Mantra/session-mon/session-mon.html>. Each peak on the graph is a storm, usually caused by just one infected machine that happens to be connected to a multicast-enabled network. Since many large universities worldwide have enabled multicast, a new storm hits every few hours. Although it seems that the authors of the worm did not intend this behavior, and probably would not even have understood the consequences of choosing to scan multicast addresses, it does mean that the worm is far from harmless. Bill.