TCP session disconnection caused by Code Red?

Daniel Senie dts at senie.com
Mon Aug 6 22:37:42 UTC 2001


At 06:14 PM 8/6/01, Eric A. Hall wrote:

>Alex Bligh wrote:
>
> > 1. RFC826 appears to mandate only positive ARP caching. I can't
> >    see a reason why negative ARP caching shouldn't work this
> >    way:
> >
> >    Keep only one ARP request in flight at a time. Retry ARPs
> >    a maximum of [5] times, separated by at least [1] second.
> >    After that, cache non-existance of a h/w address for that
> >    IP address for normal positive caching time.
>
>The immediate problem with this is that it requires a *MUCH* larger ARP
>cache. Rather than needing enough memory for a couple of thousand active
>entries (the current norm for middle-of-the road routers), you need enough
>room for every possible address on every attached segment.
>
>[unsubstantiated conjecture] This may be what's killing the cable networks.
>If they are making room in the NAS ARP caches for the addresses that are
>being probed, then they are making room by flushing the "real" ARP entries,
>resulting in a constant flush/load cycle. [/uc, but exemplary of the problem
>with negative ARP caching.]

Adding to this conjecture, I'm seeing VERY high ARP rates (arp broadcast 
packets) arriving via the cable modem in my office. Also seeing a high rate 
of Code Red type attacks attempted at the machines attached. Firewall is 
just catching and logging them.
-----------------------------------------------------------------
Daniel Senie                                        dts at senie.com
Amaranth Networks Inc.                    http://www.amaranth.com




More information about the NANOG mailing list