Code Red
Jeff Ogden
jogden at merit.edu
Fri Jul 20 01:32:12 UTC 2001
Here at Merit we are seeing large numbers of Code Red infected hosts.
These hosts may be on our regional network MichNet or they may be
elsewhere out on the greater Internet. It is the port scanning of
random IP address that causes problems, because the scanning in turn
is causing network problems due to heavy ARP loads when the local
site routers ARP for what turn out to be unused IP addresses. This
is an issue when there are large blocks of IP addresses behind a
router. It is less of a problem when there is a relatively small
number of IP addresses behind a router (say one class C worth). Are
others seeing these sorts of problems? What strategies are there for
dealing with this?
What we've come up with so far is blocking inbound (inbound to the
site) port 80 traffic on the LAN interface of the local site router
(so outbound over the LAN interface). This prevents the ARP
problems. It also gives us some indication of which systems are
infected. It has serious undesirable side effects (preventing
legitimate Web access) and so we also have to reenable inbound port
80 access for specific IP addresses that we know are Web servers or
otherwise not vulnerable to Code Red. None of this solves the problem
in any real sense. It just keeps performance reasonable and buys us
time to work on or get others folks to work on real solutions. To
solve the Code Red problem seems to require patching the vulnerable
hosts or taking the vulnerable or infected hosts offline.
How long is it going to take to get every Windows NT, Windows 2000,
and Windows XP system patched? We may be at this for a long time. I
am not looking forward to this.
Any ideas for other approaches to the problem?
-Jeff Ogden
Merit
More information about the NANOG
mailing list