[unisog] rendezvous storm?
alex-unisog at digriz.org.uk
Fri May 9 09:22:28 GMT 2008
Fred Portnoy <fportnoy at mail.plymouth.edu> [20080508 14:20:33 -0400]:
> If this has already been covered to death, please give me a hint where to
> find it in the archives.
Strangely I cannot find it at the moment, but it was linked to Windoze Vista
and Internet Connection Sharing if I remember correctly.
> We sometimes get wiped out by a Windows machine on our network spewing
> large numbers of packets per second aimed at multicast address 184.108.40.206
> using UDP 5353. I can see such traffic as part of the background noise
> which seems to be about media sharing .... but once it a while it rises to
> apparently unhealthy heights, as it seems to be co-incident with our router
> spiking at 100% CPU and ceasing to forward traffic for a while.
If you are unfortunate enough to have Crisco kit slip onto your core boxes
(your Layer-3 kit):
mls rate-limit multicast ipv4 non-rpf 100 10
mls rate-limit multicast ipv4 partial 250 100
The reason the CPU is hitting 100% (this hit us with the braindead way
Norton Ghost works) is if the multicast packets expire at your core box the
packet cannot be handled in hardware and so gets set up to the CPU for a
decision in software to be made. Of course all that the CPU will do is drop
the packet as its destined to a multicast address...so all that work just
to do nothing with the packet. :)
Those commands above limit the number of multicast packets that get set up to
the CPU (if I am correct, it works for us at least) and stops our 6509's
spinning at 100%. This is easily viewable when you are using Norton Ghost
and have HSRP deployed as your layer-3 gateways out of subnets...look at what
the standby (not the active) router is doing.
 no ICMP messages should be generated (ie, TTL expired) for packets
destined to a multicast address...according to the RFC's iirc
/ Better tried by twelve than carried by \
| six. |
\ -- Jeff Cooper /
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20080509/3f059d4a/attachment.bin
More information about the unisog