Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Code Red

  • From: Jeff Ogden
  • Date: Thu Jul 19 21:36:25 2001

Here at Merit we are seeing large numbers of Code Red infected hosts. These hosts may be on our regional network MichNet or they may be elsewhere out on the greater Internet. It is the port scanning of random IP address that causes problems, because the scanning in turn is causing network problems due to heavy ARP loads when the local site routers ARP for what turn out to be unused IP addresses. This is an issue when there are large blocks of IP addresses behind a router. It is less of a problem when there is a relatively small number of IP addresses behind a router (say one class C worth). Are others seeing these sorts of problems? What strategies are there for dealing with this?

What we've come up with so far is blocking inbound (inbound to the site) port 80 traffic on the LAN interface of the local site router (so outbound over the LAN interface). This prevents the ARP problems. It also gives us some indication of which systems are infected. It has serious undesirable side effects (preventing legitimate Web access) and so we also have to reenable inbound port 80 access for specific IP addresses that we know are Web servers or otherwise not vulnerable to Code Red. None of this solves the problem in any real sense. It just keeps performance reasonable and buys us time to work on or get others folks to work on real solutions. To solve the Code Red problem seems to require patching the vulnerable hosts or taking the vulnerable or infected hosts offline.

How long is it going to take to get every Windows NT, Windows 2000, and Windows XP system patched? We may be at this for a long time. I am not looking forward to this.

Any ideas for other approaches to the problem?

-Jeff Ogden

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.