nanog mailing list archives
Re: TCP session disconnection caused by Code Red?
From: Jim Warner <warner () cats UCSC EDU>
Date: Mon, 6 Aug 2001 17:04:46 -0700 (PDT)
George Herbert (gherbert () retro com) said: I've been told (but not given permission to forward details of who/how/what) that some major sites with a single router and relatively flat network topology are dying due to the ARP request flood that is being generated by Code Red scans on the inside of their border router choking the router. Check the rate of ARP requests coming off your border router and see if it seems excessive; if so, that may be it. My campus is now seeing around 500 packets per second of CodeRed connection requests into blocks that total 130,000 addresses. The work of ARPing for all that stuff is distributed across 6 routers (mostly Cisco RSM) and they're doing OK. The experience at Cal State campuses is variable. They do tend to have flat topologies behind a single entrance router. Our neighbors at CSU Monterey Bay melted under the load _before_ CR-II emerged. They had their upstream install an access list permitting an explicit list of campus web servers and blocking port 80 to everything else. Their router is mfg by Alcatel, a PowerRail 7652 OmniCore 5052. I don't have a lot of details about their setup but I do know how big their assigned address pool is -- about 6000 addresses. That leaves me wondering about the importance of quality of the ARP implementation in the router code. I have heard that CSU Long Beach (Cabletron router) had similar problems. I'm looking for anyone that knows some details of Alcatel and SSR routers that might help us understand this. I don't think this is a case where the ingenuity of ASIC designers is the important parameter. Have any of the router benchmarks dealt with the capabilities and robustness of what I'm imagining must be process-level parts of the a router implementation? -jim warner, University of California Santa Cruz
Current thread:
- Re: TCP session disconnection caused by Code Red?, (continued)
- Re: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)
- Re: TCP session disconnection caused by Code Red? George William Herbert (Aug 06)
- Re: TCP session disconnection caused by Code Red? Kevin Gannon (Aug 06)
- Re: TCP session disconnection caused by Code Red? Alex Bligh (Aug 06)
- Re: TCP session disconnection caused by Code Red? Craig Partridge (Aug 06)
- Re: TCP session disconnection caused by Code Red? Eric A. Hall (Aug 06)
- Re: TCP session disconnection caused by Code Red? Daniel Senie (Aug 06)
- RE: TCP session disconnection caused by Code Red? David Schwartz (Aug 06)
- RE: TCP session disconnection caused by Code Red? James Smith (Aug 06)
- RE: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)
- Re: TCP session disconnection caused by Code Red? Jim Warner (Aug 06)