Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Code Red

  • From: Bill Woodcock
  • Date: Thu Jul 19 23:32:54 2001


    > Reports from our monitoring systems saw the CPU usage jump by somewhere
    > between 150-200% for our core routers today

I just got off the phone with the TAC about this, and received the
following _preliminary_ advice:

1) If it's not enabled, turn on CEF, to move some of the packet-forwarding
   load off the processor and into hardware.  For some reason, a lot of
   this traffic is being process-switched, as evidenced by high "IP
   Input" cpu loads.

2) If you can, put in an ACL which prohibits port-80 traffic destined _to
   the interfaces of the router itself_.  Since the destination IP
   addresses of the packets which constitute the attack itself are
   random, many of them will be addressed to your routers, rather than to
   hosts, and those will _always_ be process switched, if they're not
   blocked by an inbound ACL.

It goes without saying that you should have a "no http server" line in any
production router.

                                -Bill






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.