Code Red -> Router Memory depletion?
We've seen two routers experiencing problems this AM that appear to be related to client swervers infected with the IIS Code Red virus. I say appear because of the timing with cpu profiles on downstream routers where infections broke out, but I don't have any direct evidence. The first one was a border router: Jul 19 08:00:47 5093: 2w5d: %SYS-2-MALLOCFAIL: Memory allocation of 65540 bytes failed from 0x603BF35C, pool Processor, alignment 0 Jul 19 08:00:47 5094: -Process= "BGP Router", ipl= 0, pid= 86 # sh ver uptime is 4 hours, 46 minutes System returned to ROM by bus error at PC 0x603BFCFC, address 0xFFFFFFF0 at 05:57:21 UTC Thu Jul 19 2001 The other one is a client aggregation router Jul 19 12:02:49 192: %SYS-2-MALLOCFAIL: Memory allocation of 1964 bytes failed from 0x314DA4A, pool Processor, alignment 0 Jul 19 12:02:49 193: -Process= "OSPF Router", ipl= 0, pid= 32 (This router is still functioning, but not allowing any incoming connections on telnet). -Mike
On Thu, Jul 19, 2001 at 01:00:24PM -0600, Mike Lewinski exclaimed:
We've seen two routers experiencing problems this AM that appear to be related to client swervers infected with the IIS Code Red virus. I say appear because of the timing with cpu profiles on downstream routers where infections broke out, but I don't have any direct evidence.
http://www.securityfocus.com/archive/1/198006 This may or may not be related to the problem you are experiencing, but I figured it was worth mentioning for those that haven't gotten around to skimming BUGTRAQ today. -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
On Thu, Jul 19, 2001 at 12:37:37PM -0700, Scott Francis exclaimed:
http://www.securityfocus.com/archive/1/198006
This may or may not be related to the problem you are experiencing, but I figured it was worth mentioning for those that haven't gotten around to skimming BUGTRAQ today.
doh ... just read mike's cross-post on BUGTRAQ. never mind me then. I can only cover lists in sequential order ... :) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
Hi, Anyone have the number to the NOC/NCC for Hostcentric? tia -- amar Telia Net
On Thu, 19 Jul 2001, Mike Lewinski wrote:
We've seen two routers experiencing problems this AM that appear to be related to client swervers infected with the IIS Code Red virus. I say appear because of the timing with cpu profiles on downstream routers where infections broke out, but I don't have any direct evidence.
The first one was a border router:
Jul 19 08:00:47 5093: 2w5d: %SYS-2-MALLOCFAIL: Memory allocation of 65540 bytes failed from 0x603BF35C, pool Processor, alignment 0 Jul 19 08:00:47 5094: -Process= "BGP Router", ipl= 0, pid= 86
# sh ver uptime is 4 hours, 46 minutes System returned to ROM by bus error at PC 0x603BFCFC, address 0xFFFFFFF0 at 05:57:21 UTC Thu Jul 19 2001
The other one is a client aggregation router
Jul 19 12:02:49 192: %SYS-2-MALLOCFAIL: Memory allocation of 1964 bytes failed from 0x314DA4A, pool Processor, alignment 0 Jul 19 12:02:49 193: -Process= "OSPF Router", ipl= 0, pid= 32
(This router is still functioning, but not allowing any incoming connections on telnet).
-Mike
We saw nearly the same thing at about 1pm today. Definately "Code Red" related. We're seeing over a thousand pps of "Code Red" scanning traffic. Joy Joy --- John Fraizer EnterZone, Inc
Almost a year ago I started graphing memory utilization on our core routers. The resulting graphs were so boring to look at (flatlined) that I forgot about them until today... A sample 3640 running OSPF but no BGP: http://www.rockynet.com/memory/ The general trends on the above graph look pretty similar at our borders also. Graphs that have been flatlined for the last 11 months are suddenly getting interesting. Mike
participants (4)
-
amar
-
John Fraizer
-
Mike Lewinski
-
Scott Francis