Jeff Ogden wrote:
Here at Merit we are seeing large numbers of Code Red infected hosts. These hosts may be on our regional network MichNet or they may be elsewhere out on the greater Internet. It is the port scanning of random IP address that causes problems, because the scanning in turn is causing network problems due to heavy ARP loads when the local site routers ARP for what turn out to be unused IP addresses. This is an issue when there are large blocks of IP addresses behind a router. It is less of a problem when there is a relatively small number of IP addresses behind a router (say one class C worth). Are others seeing these sorts of problems? What strategies are there for dealing with this?
Reports from our monitoring systems saw the CPU usage jump by somewhere between 150-200% for our core routers today; our current theory is that much of this was caused by excessively short and rapid flows from the probing, causing a lot of new paths to be learned (and rapidly discarded), rather than being able to just switch it through. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://www.lightbearer.com/~lucifer