North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Code Red
Jeff Ogden wrote: > > Here at Merit we are seeing large numbers of Code Red infected hosts. > These hosts may be on our regional network MichNet or they may be > elsewhere out on the greater Internet. It is the port scanning of > random IP address that causes problems, because the scanning in turn > is causing network problems due to heavy ARP loads when the local > site routers ARP for what turn out to be unused IP addresses. This > is an issue when there are large blocks of IP addresses behind a > router. It is less of a problem when there is a relatively small > number of IP addresses behind a router (say one class C worth). Are > others seeing these sorts of problems? What strategies are there for > dealing with this? Reports from our monitoring systems saw the CPU usage jump by somewhere between 150-200% for our core routers today; our current theory is that much of this was caused by excessively short and rapid flows from the probing, causing a lot of new paths to be learned (and rapidly discarded), rather than being able to just switch it through. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com [email protected] http://www.lightbearer.com/~lucifer
|