[40294] in North American Network Operators' Group
Re: TCP session disconnection caused by Code Red?
daemon@ATHENA.MIT.EDU (Kevin Gannon)
Mon Aug 6 14:53:04 2001
Message-ID: <2992.159.134.227.30.997123875.squirrel@gannons.net>
Date: Mon, 6 Aug 2001 18:51:15 -0000 (GMT)
From: "Kevin Gannon" <kevin@gannons.net>
To: gherbert@retro.com
In-Reply-To: <200108061857.LAA02866@gw.retro.com>
Cc: meuon@highertech.net, nanog@merit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Errors-To: owner-nanog-outgoing@merit.edu
Some things that are worth looking if you are running Cisco's
( I blieve the original poster was):
http://www.cisco.com/warp/public/63/ts_codred_worm.html
Regards,
Kevin
> mike harrison <meuon@highertech.net> wrote
>>Blaz Zupan <blaz@amis.net> wrote:
>>> For the last few days, our network seems to be basically unreachable
>>> from the outside. Most incoming TCP sessions (web requests, incoming
>>> mail, telnet sessions, etc.) often fail with a simple "Connection
>>> refused" like nobody is
>>
>>Your routers are brain dead from the load.. routers that are used to
>>handling a few thousand connections are being asked to handle 10's of
>>thousands. 1 good 1000+ address scan from an ISDN user kills my
>>Lucent/Ascend TNT unless we filter for it.
>
> I've been told (but not given permission to forward details of
> who/how/what) that some major sites with a single router
> and relatively flat network topology are dying due to the ARP
> request flood that is being generated by Code Red scans on the
> inside of their border router choking the router. Check the
> rate of ARP requests coming off your border router and see if
> it seems excessive; if so, that may be it.
>
>
> -george william herbert
> gherbert@retro.com
