[39672] in North American Network Operators' Group
Re: Code Red
daemon@ATHENA.MIT.EDU (lucifer@lightbearer.com)
Thu Jul 19 23:12:42 2001
Message-ID: <20010720031208.23684.qmail@prophecy.lightbearer.com>
From: lucifer@lightbearer.com
In-Reply-To: <v04210102b77d36d07e75@[198.108.60.39]> from Jeff Ogden at "Jul
19, 2001 09:32:12 pm"
To: Jeff Ogden <jogden@merit.edu>
Date: Thu, 19 Jul 2001 20:12:08 -0700 (PDT)
Cc: nanog@merit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Jeff Ogden wrote:
>
> Here at Merit we are seeing large numbers of Code Red infected hosts.
> These hosts may be on our regional network MichNet or they may be
> elsewhere out on the greater Internet. It is the port scanning of
> random IP address that causes problems, because the scanning in turn
> is causing network problems due to heavy ARP loads when the local
> site routers ARP for what turn out to be unused IP addresses. This
> is an issue when there are large blocks of IP addresses behind a
> router. It is less of a problem when there is a relatively small
> number of IP addresses behind a router (say one class C worth). Are
> others seeing these sorts of problems? What strategies are there for
> dealing with this?
Reports from our monitoring systems saw the CPU usage jump by somewhere
between 150-200% for our core routers today; our current theory is that
much of this was caused by excessively short and rapid flows from the
probing, causing a lot of new paths to be learned (and rapidly discarded),
rather than being able to just switch it through.
--
***************************************************************************
Joel Baker System Administrator - lightbearer.com
lucifer@lightbearer.com http://www.lightbearer.com/~lucifer
