TCP session disconnection caused by Code Red?
Jim Warner
warner at cats.UCSC.EDU
Tue Aug 7 00:04:46 UTC 2001
George Herbert (gherbert at retro.com) said:
I've been told (but not given permission to forward details of
who/how/what) that some major sites with a single router
and relatively flat network topology are dying due to the ARP
request flood that is being generated by Code Red scans on the
inside of their border router choking the router. Check the
rate of ARP requests coming off your border router and see if
it seems excessive; if so, that may be it.
My campus is now seeing around 500 packets per second of CodeRed
connection requests into blocks that total 130,000 addresses.
The work of ARPing for all that stuff is distributed across 6
routers (mostly Cisco RSM) and they're doing OK.
The experience at Cal State campuses is variable. They do tend to
have flat topologies behind a single entrance router. Our neighbors
at CSU Monterey Bay melted under the load _before_ CR-II emerged.
They had their upstream install an access list permitting an
explicit list of campus web servers and blocking port 80 to
everything else. Their router is mfg by Alcatel, a PowerRail
7652 OmniCore 5052. I don't have a lot of details about their
setup but I do know how big their assigned address pool is --
about 6000 addresses.
That leaves me wondering about the importance of quality of the
ARP implementation in the router code. I have heard that CSU Long
Beach (Cabletron router) had similar problems.
I'm looking for anyone that knows some details of Alcatel and
SSR routers that might help us understand this. I don't think
this is a case where the ingenuity of ASIC designers is the
important parameter. Have any of the router benchmarks dealt
with the capabilities and robustness of what I'm imagining must
be process-level parts of the a router implementation?
-jim warner, University of California Santa Cruz
More information about the NANOG
mailing list