[39650] in North American Network Operators' Group
Re: Code Red -> Router Memory depletion?
daemon@ATHENA.MIT.EDU (John Fraizer)
Thu Jul 19 16:50:53 2001
Date: Thu, 19 Jul 2001 16:50:16 -0400 (EDT)
From: John Fraizer <nanog@Overkill.EnterZone.Net>
To: Mike Lewinski <mike@rockynet.com>
Cc: nanog@merit.edu
In-Reply-To: <004d01c11085$114f77c0$c2c68bd0@domain.com>
Message-ID: <Pine.LNX.4.21.0107191648180.3824-100000@Overkill.EnterZone.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 19 Jul 2001, Mike Lewinski wrote:
>
> We've seen two routers experiencing problems this AM that appear to be
> related to client swervers infected with the IIS Code Red virus. I say
> appear because of the timing with cpu profiles on downstream routers
> where infections broke out, but I don't have any direct evidence.
>
> The first one was a border router:
>
> Jul 19 08:00:47 5093: 2w5d: %SYS-2-MALLOCFAIL: Memory allocation of
> 65540 bytes failed from 0x603BF35C, pool Processor, alignment 0
> Jul 19 08:00:47 5094: -Process= "BGP Router", ipl= 0, pid= 86
>
> # sh ver
> uptime is 4 hours, 46 minutes
> System returned to ROM by bus error at PC 0x603BFCFC, address 0xFFFFFFF0
> at 05:57:21 UTC Thu Jul 19 2001
>
> The other one is a client aggregation router
>
> Jul 19 12:02:49 192: %SYS-2-MALLOCFAIL: Memory allocation of 1964 bytes
> failed from 0x314DA4A, pool Processor, alignment 0
> Jul 19 12:02:49 193: -Process= "OSPF Router", ipl= 0, pid= 32
>
> (This router is still functioning, but not allowing any incoming
> connections on telnet).
>
> -Mike
>
We saw nearly the same thing at about 1pm today. Definately "Code
Red" related. We're seeing over a thousand pps of "Code Red" scanning
traffic. Joy Joy
---
John Fraizer
EnterZone, Inc
