[LWN Logo]
Date: Mon, 22 Jan 2001 12:46:56 -0500
To: lwn@lwn.net
From: Bill Owens <owens@nysernet.org>
Subject: The real damage of the ramen worm

Although most of the stories about it claim that the ramen worm is 
largely harmless, it is in fact doing damage to several networks that 
carry native multicast traffic. The worst-affected is the Abilene 
network <http://www.ucaid.edu/abilene>. For the past 9 days, ever 
since ramen began to spread in earnest, the multicast networks have 
been hit by repeated storms of routing traffic caused by 
ramen-infected machines.

The worm has a sloppily written routine to randomly choose a /16 
network block to scan. That routine can choose network prefixes in 
the range -, a set of addresses reserved for 
multicast traffic. Each scan packet then causes the generation of a 
Multicast Source Distribution Protocol (MSDP) Source Availability 
message. Unfortunately the scanner being used is very efficient and 
can cover a /16 in about 15 minutes, generating 65000 SA messages. 
The SA messages are flooded throughout the multicast backbone and the 
resulting load on the routers has caused degradation of both 
multicast and unicast connectivity.

To see the storms graphically you can use the CAIDA Mantra project's 
MSDP monitor page 
Each peak on the graph is a storm, usually caused by just one 
infected machine that happens to be connected to a multicast-enabled 
network. Since many large universities worldwide have enabled 
multicast, a new storm hits every few hours.

Although it seems that the authors of the worm did not intend this 
behavior, and probably would not even have understood the 
consequences of choosing to scan multicast addresses, it does mean 
that the worm is far from harmless.