[unisog] rendezvous storm?

Alexander Clouter alex-unisog at digriz.org.uk
Fri May 9 09:22:28 GMT 2008


Fred Portnoy <fportnoy at mail.plymouth.edu> [20080508 14:20:33 -0400]:
> If this has already been covered to death, please give me a hint where to 
> find it in the archives.
Strangely I cannot find it at the moment, but it was linked to Windoze Vista 
and Internet Connection Sharing if I remember correctly.

> We sometimes get wiped out by a Windows machine on our network spewing 
> large numbers of packets per second aimed at multicast address 
> using UDP 5353. I can see such traffic as part of the background noise 
> which seems to be about media sharing .... but once it a while it rises to 
> apparently unhealthy heights, as it seems to be co-incident with our router 
> spiking at 100% CPU and ceasing to forward traffic for a while.
If you are unfortunate enough to have Crisco kit slip onto your core boxes 
(your Layer-3 kit):

mls rate-limit multicast ipv4 non-rpf 100 10
mls rate-limit multicast ipv4 partial 250 100

The reason the CPU is hitting 100% (this hit us with the braindead way 
Norton Ghost works) is if the multicast packets expire at your core box the 
packet cannot be handled in hardware and so gets set up to the CPU for a 
decision in software to be made.  Of course all that the CPU will do is drop 
the packet as its destined to a multicast address[1]...so all that work just 
to do nothing with the packet. :)

Those commands above limit the number of multicast packets that get set up to 
the CPU (if I am correct, it works for us at least) and stops our 6509's 
spinning at 100%.  This is easily viewable when you are using Norton Ghost 
and have HSRP deployed as your layer-3 gateways out of subnets...look at what 
the standby (not the active) router is doing.



[1] no ICMP messages should be generated (ie, TTL expired) for packets 
	destined to a multicast address...according to the RFC's iirc

/ Better tried by twelve than carried by \
| six.                                   |
|                                        |
\ -- Jeff Cooper                         /
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20080509/3f059d4a/attachment.bin 

More information about the unisog mailing list