North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Code Red
- From: lucifer
- Date: Thu Jul 19 23:15:58 2001
Jeff Ogden wrote:
>
> Here at Merit we are seeing large numbers of Code Red infected hosts.
> These hosts may be on our regional network MichNet or they may be
> elsewhere out on the greater Internet. It is the port scanning of
> random IP address that causes problems, because the scanning in turn
> is causing network problems due to heavy ARP loads when the local
> site routers ARP for what turn out to be unused IP addresses. This
> is an issue when there are large blocks of IP addresses behind a
> router. It is less of a problem when there is a relatively small
> number of IP addresses behind a router (say one class C worth). Are
> others seeing these sorts of problems? What strategies are there for
> dealing with this?
Reports from our monitoring systems saw the CPU usage jump by somewhere
between 150-200% for our core routers today; our current theory is that
much of this was caused by excessively short and rapid flows from the
probing, causing a lot of new paths to be learned (and rapidly discarded),
rather than being able to just switch it through.
--
***************************************************************************
Joel Baker System Administrator - lightbearer.com
lucifer@lightbearer.com http://www.lightbearer.com/~lucifer
|
