Code Red

lucifer at lightbearer.com lucifer at lightbearer.com
Fri Jul 20 03:12:08 UTC 2001


Jeff Ogden wrote:
> 
> Here at Merit we are seeing large numbers of Code Red infected hosts. 
> These hosts may be on our regional network MichNet or they may be 
> elsewhere out on the greater Internet. It is the port scanning of 
> random IP address that causes problems, because the scanning in turn 
> is causing network problems due to heavy ARP loads when the local 
> site routers ARP for what turn out to be unused IP addresses.  This 
> is an issue when there are large blocks of IP addresses behind a 
> router. It is less of a problem when there is a relatively small 
> number of IP addresses behind a router (say one class C worth). Are 
> others seeing these sorts of problems?  What strategies are there for 
> dealing with this?

Reports from our monitoring systems saw the CPU usage jump by somewhere
between 150-200% for our core routers today; our current theory is that
much of this was caused by excessively short and rapid flows from the
probing, causing a lot of new paths to be learned (and rapidly discarded),
rather than being able to just switch it through.
-- 
***************************************************************************
Joel Baker                           System Administrator - lightbearer.com
lucifer at lightbearer.com              http://www.lightbearer.com/~lucifer



More information about the NANOG mailing list