Code Red
lucifer at lightbearer.com
lucifer at lightbearer.com
Fri Jul 20 03:12:08 UTC 2001
Jeff Ogden wrote:
>
> Here at Merit we are seeing large numbers of Code Red infected hosts.
> These hosts may be on our regional network MichNet or they may be
> elsewhere out on the greater Internet. It is the port scanning of
> random IP address that causes problems, because the scanning in turn
> is causing network problems due to heavy ARP loads when the local
> site routers ARP for what turn out to be unused IP addresses. This
> is an issue when there are large blocks of IP addresses behind a
> router. It is less of a problem when there is a relatively small
> number of IP addresses behind a router (say one class C worth). Are
> others seeing these sorts of problems? What strategies are there for
> dealing with this?
Reports from our monitoring systems saw the CPU usage jump by somewhere
between 150-200% for our core routers today; our current theory is that
much of this was caused by excessively short and rapid flows from the
probing, causing a lot of new paths to be learned (and rapidly discarded),
rather than being able to just switch it through.
--
***************************************************************************
Joel Baker System Administrator - lightbearer.com
lucifer at lightbearer.com http://www.lightbearer.com/~lucifer
More information about the NANOG
mailing list