TCP session disconnection caused by Code Red?

• Previous message (by thread): TCP session disconnection caused by Code Red?
• Next message (by thread): TCP session disconnection caused by Code Red?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can see "connection refused" being caused by lack of resources (memory,
not CPU) caused by ARP requests not being resolved and waiting to time out. 

  What happens is that all the outstanding ARP requests use up all available
memory, so no buffers can be allocated for new incoming connections. Send
enough requests fast enough, looking for enough different IP's, memory gets
exhausted.

  Been there, seen it happen, tweaked the WellFleet/Bay/Nortel knob to limit
the amount of space used for ARP resolution, and solved the problem caused
by too many outstanding ARPs. Of course, I could have stuffed in more
memory, but limiting the space used for the process was easier.

James H. Smith II  NNCDS NNCSE
Systems Engineer
The Presidio Corporation


-----Original Message-----
From: George William Herbert [mailto:gherbert at retro.com]
Sent: Monday, August 06, 2001 2:57 PM
To: mike harrison; nanog at merit.edu
Subject: Re: TCP session disconnection caused by Code Red? 





mike harrison <meuon at highertech.net> wrote
>Blaz Zupan <blaz at amis.net> wrote:
>> For the last few days, our network seems to be basically unreachable from
the
>> outside. Most incoming TCP sessions (web requests, incoming mail, telnet
>> sessions, etc.) often fail with a simple "Connection refused" like nobody
is
>
>Your routers are brain dead from the load.. routers that are used to
>handling a few thousand connections are being asked to handle 10's of
>thousands. 1 good 1000+ address scan from an ISDN user kills my
>Lucent/Ascend TNT unless we filter for it. 

I've been told (but not given permission to forward details of
who/how/what) that some major sites with a single router
and relatively flat network topology are dying due to the ARP
request flood that is being generated by Code Red scans on the
inside of their border router choking the router.  Check the
rate of ARP requests coming off your border router and see if
it seems excessive; if so, that may be it.


-george william herbert
gherbert at retro.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20010806/1f8a0de9/attachment.html>

• Previous message (by thread): TCP session disconnection caused by Code Red?
• Next message (by thread): TCP session disconnection caused by Code Red?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]