nanog mailing list archives
Re: Code Red
From: Bill Woodcock <woody () zocalo net>
Date: Thu, 19 Jul 2001 20:29:30 -0700 (PDT)
> Reports from our monitoring systems saw the CPU usage jump by somewhere > between 150-200% for our core routers today I just got off the phone with the TAC about this, and received the following _preliminary_ advice: 1) If it's not enabled, turn on CEF, to move some of the packet-forwarding load off the processor and into hardware. For some reason, a lot of this traffic is being process-switched, as evidenced by high "IP Input" cpu loads. 2) If you can, put in an ACL which prohibits port-80 traffic destined _to the interfaces of the router itself_. Since the destination IP addresses of the packets which constitute the attack itself are random, many of them will be addressed to your routers, rather than to hosts, and those will _always_ be process switched, if they're not blocked by an inbound ACL. It goes without saying that you should have a "no http server" line in any production router. -Bill
Current thread:
- Re: Code Red Jeff Ogden (Jul 19)
- Re: Code Red Patrick Greenwell (Jul 19)
- Re: Code Red Seth M. Kusiak (Jul 19)
- Re: Code Red Rob Thomas (Jul 19)
- Re: Code Red Seth M. Kusiak (Jul 19)
- Re: Code Red lucifer (Jul 19)
- Re: Code Red Bill Woodcock (Jul 19)
- Re: Code Red Dave Stewart (Jul 19)
- Re: Code Red lucifer (Jul 19)
- Re: Code Red Stephen J. Wilcox (Jul 19)
- Re: Code Red Mikael Abrahamsson (Jul 19)
- Re: Code Red John Kristoff (Jul 20)
- Re: Code Red Stephen J. Wilcox (Jul 20)
- Re: Code Red Larry Sheldon (Jul 20)
- Re: Code Red Stephen J. Wilcox (Jul 20)
- Re: Code Red Stephen J. Wilcox (Jul 20)
- Re: Code Red Patrick Greenwell (Jul 19)
- <Possible follow-ups>
- RE: Code Red Joe Blanchard (Jul 19)