Re: 235.80.68.83 & 239.83.100.109. Does anyone recognise these a

Kevin Dorrell · ‎05-02-2005

I have many PCs expressing an interest in multicast streams 235.80.68.83 and 239.83.100.109. Does anyone recognise these addresses? I know the first is globally scoped, and the second adminstratively scoped, but I don't know any more than that. About 10% of the PCs on my campus are generating IGMPs for those multicast streams. What is this all about?

I have tried Google, but all I can find is lots of other people asking the same question. Could it be malware?

My issue here is that I am running CGMP because I have some rather old 2900XLs in my network. Because of the large number of PCs generating IGMPs for these groups, my router is generating a significant amount of CGMP multicast traffic, and has raised the noise floor significantly.

Please ... has anyone any ideas? Is it due to XP SP2? If so, is everyone else's LAN doing the same?

Kevin Dorrell

Luxembourg

Kevin Dorrell · ‎05-02-2005

Am I talking to myself again? Is this a sign of madness? Have I been sent to Coventry? Or is it just that nobody has an answer?

Kevin Dorrell

Luxembourg

b-watkins · ‎05-03-2005

While I cannot vouch for your madness or lack thereof ;) , I really don't think anybody has a good answer that I can find anywhere. The only thing to note is that the first address you mention is reserved by the IANA. I can only imagine that there is some kind of malware that is causing this level of noise.

Kevin Dorrell · ‎05-03-2005

Thanks Bradley,

It's nice to have a response, even if it is a "don't know". All is right with the world once again!

I would be interested to find out if other sites can see IGMPs for those addresses. If it is malware, or even if it is Microsoft trying to get WindowsUpdate in by the back door, I would expect lots of sites to see these addresses if they interrogate their routers.

Does anyone know how to access the IANA database for multicast addresses in the same way as for unicast?

Thanks again for the response.

Kevin Dorrell

Luxembourg.

jroyster · ‎05-03-2005

I recall the second address and seeing a lot of it coming from clients.

heres some software that was on the PC image...

XP

trend micro AV

Integrity firewall

machines imaged with Ghost

address was present before service pack 1.

Kevin Dorrell · ‎05-03-2005

Thanks for that information. I think we can dismiss the Trend Micro AV, and the Integrity Firewall, because we don't use those here. So that leaves us with XP and Ghost. If it were XP, then maybe I would expect a greater proportion of my PCs to be doing it.

You are right about the XP and pre-SP1. Now that I look at the "what on earth is this?" posting on the news groups, the dates are well before SP2.

I think I shall follow Shankir's suggestion, and get the Windows team to raise a call to Microsoft.

Kevin Dorrell

Luxembourg

milan.kulik · ‎05-05-2005

Hi Kevin,

I've found about 50 computers in my network joining this multicast group, too.

All of them are running Windows, but some are 2000s, some even servers.

It's definitely not ghost (I beleived originally it would), because my notebook was not installed via ghost, e.g.

I'll continue searching what all these machines are having common.

Maybe Microsoft AutoUpdate Service?

Regards,

Milan

thisisshanky · ‎05-03-2005

I would suggest opening a service request with Microsoft and see if they can help in any way!!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

b.orth · ‎05-03-2005

Kevin,

Try this link to lookup the address:

http://www.arin.net/

Looks like the address is owned by IANA.

It also gives an RFC to read.....

HTH

Kevin Dorrell · ‎05-04-2005

Thanks for the idea. I was already aware of ARIN, and its two counterparts RIPE and APNIC, but they are not very helpful about multicast address assignments. They just refer to IANA, but IANA (and ICANN) are not very helpful about multicast addresses either. As you point out, all that RFC3171 says is that the address is reserved.

Thanks for the response anyway.

Kevin Dorrell

Luxembourg

Kevin Dorrell · ‎05-03-2005

Good idea. I shall ask our Windows team to do so.

Kevin Dorrell

Luxembourg

milan.kulik · ‎05-05-2005

Hi,

I made some tests and after disabling ALL of following Windows services my PC stopped joining the 235.80.68.83 multicast group:

- Automatic Update (C:\WINNT\system32\svchost.exe -k wugroup)

- Intel PDS (C:\WINNT\system32\cba\pds.exe)

- Intel File Transfer (C:\WINNT\system32\cba\xfr.exe)

I'm not sure what the Intel services are doing exactly, but I've got a feeling the Windows Automatic Update is the key service using this multicast group (not docummented anywhere).

I'll continue in researching.

Best regards,

Milan

Kevin Dorrell · ‎05-20-2005

Hi Milan,

I'm sorry it took so long to push this problem forwards.

I have found some more information about the 239.83.100.109 address. In fact, I sniffed the CGMPs and decoded them to find out which machines were trying to join this group. So I picked a machine at random and looked in the registry. I found 239.83.100.109 in HKLM\SOFTWARE\Intel\LANDesk\LDWM\Distribution\Multicast\Multicast Cmd Address. So, LANdesk it is.

However, as far as I could see there was no trace of the 235.80.68.83 address in the registry, either as text or in hex, despite that fact that the router was producing CGMPs for that PC to join the 235 group as well. Next step is to kill those processes you mentioned one at a time.

I'll post again when I know the results. thanks for your suggestions.

Kevin Dorrell

Luxembourg

Kevin Dorrell · ‎05-20-2005

Aaargh! Which of those processes was it? The clue was there all the time, for those who could see it! Get this:

The multicast address is 235.80.68.83

The MAC address is therefore 01:00:5e:50:44:53

The host part of that, in ASCII, spells ... PDS

These guys write adventure games in their spare time, I think!

The other address spells "Sdm", but I don't think that is a clue.

Have a nice weekend!

Kevin Dorrell

Luxembourg

235.80.68.83 & 239.83.100.109. Does anyone recognise these addresses?