North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: TCP session disconnection caused by Code Red?

  • From: Kevin Gannon
  • Date: Mon Aug 06 14:55:05 2001

Some things that are worth looking if you are running Cisco's
( I blieve the original poster was):


> mike harrison <[email protected]> wrote
>>Blaz Zupan <[email protected]> wrote:
>>> For the last few days, our network seems to be basically unreachable
>>> from the outside. Most incoming TCP sessions (web requests, incoming
>>> mail, telnet sessions, etc.) often fail with a simple "Connection
>>> refused" like nobody is
>>Your routers are brain dead from the load.. routers that are used to
>>handling a few thousand connections are being asked to handle 10's of
>>thousands. 1 good 1000+ address scan from an ISDN user kills my
>>Lucent/Ascend TNT unless we filter for it. 
> I've been told (but not given permission to forward details of
> who/how/what) that some major sites with a single router
> and relatively flat network topology are dying due to the ARP
> request flood that is being generated by Code Red scans on the
> inside of their border router choking the router.  Check the
> rate of ARP requests coming off your border router and see if
> it seems excessive; if so, that may be it.
> -george william herbert
> [email protected]