RE: TCP session disconnection caused by Code Red?

• From: James Smith
• Date: Mon Aug 06 16:41:05 2001

I can see "connection refused" being caused by lack of resources (memory, not CPU) caused by ARP requests not being resolved and waiting to time out.

  What happens is that all the outstanding ARP requests use up all available memory, so no buffers can be allocated for new incoming connections. Send enough requests fast enough, looking for enough different IP's, memory gets exhausted.

  Been there, seen it happen, tweaked the WellFleet/Bay/Nortel knob to limit the amount of space used for ARP resolution, and solved the problem caused by too many outstanding ARPs. Of course, I could have stuffed in more memory, but limiting the space used for the process was easier.

James H. Smith II  NNCDS NNCSE
Systems Engineer
The Presidio Corporation

-----Original Message-----
From: George William Herbert [mailto:[email protected]]
Sent: Monday, August 06, 2001 2:57 PM
To: mike harrison; [email protected]
Subject: Re: TCP session disconnection caused by Code Red?

mike harrison <[email protected]> wrote
>Blaz Zupan <[email protected]> wrote:
>> For the last few days, our network seems to be basically unreachable from the
>> outside. Most incoming TCP sessions (web requests, incoming mail, telnet
>> sessions, etc.) often fail with a simple "Connection refused" like nobody is
>
>Your routers are brain dead from the load.. routers that are used to
>handling a few thousand connections are being asked to handle 10's of
>thousands. 1 good 1000+ address scan from an ISDN user kills my
>Lucent/Ascend TNT unless we filter for it.

I've been told (but not given permission to forward details of
who/how/what) that some major sites with a single router
and relatively flat network topology are dying due to the ARP
request flood that is being generated by Code Red scans on the
inside of their border router choking the router.  Check the
rate of ARP requests coming off your border router and see if
it seems excessive; if so, that may be it.

-george william herbert
[email protected]

• Follow-Ups:
  • RE: TCP session disconnection caused by Code Red? Blaz Zupan

• Prev by Date: Re: TCP session disconnection caused by Code Red?
• Next by Date: Re: TCP session disconnection caused by Code Red?
• Date Index
• Thread Index
• Author Index
• Historical