Code Red

Jeff Ogden jogden at
Fri Jul 20 01:32:12 UTC 2001

Here at Merit we are seeing large numbers of Code Red infected hosts. 
These hosts may be on our regional network MichNet or they may be 
elsewhere out on the greater Internet. It is the port scanning of 
random IP address that causes problems, because the scanning in turn 
is causing network problems due to heavy ARP loads when the local 
site routers ARP for what turn out to be unused IP addresses.  This 
is an issue when there are large blocks of IP addresses behind a 
router. It is less of a problem when there is a relatively small 
number of IP addresses behind a router (say one class C worth). Are 
others seeing these sorts of problems?  What strategies are there for 
dealing with this?

What we've come up with so far is blocking inbound (inbound to the 
site) port 80 traffic on the LAN interface of the local site router 
(so outbound over the LAN interface).  This prevents the ARP 
problems. It also gives us some indication of which systems are 
infected. It has serious undesirable side effects (preventing 
legitimate Web access) and so we also have to reenable inbound port 
80 access for specific IP addresses that we know are Web servers or 
otherwise not vulnerable to Code Red. None of this solves the problem 
in any real sense. It just keeps performance reasonable and buys us 
time to work on or get others folks to work on real solutions. To 
solve the Code Red problem seems to require patching the vulnerable 
hosts or taking the vulnerable or infected hosts offline.

How long is it going to take to get every Windows NT, Windows 2000, 
and Windows XP system patched? We may be at this for a long time. I 
am not looking forward to this.

Any ideas for other approaches to the problem?

    -Jeff Ogden

More information about the NANOG mailing list