connected to a client how?
over on the NANOG list today there is a long discussion about Code Red. the
following is an excerpt from one of the mails:
-----------
Here at Merit we are seeing large numbers of Code Red infected hosts.
These hosts may be on our regional network MichNet or they may be
elsewhere out on the greater Internet. It is the port scanning of
random IP address that causes problems, because the scanning in turn
is causing network problems due to heavy ARP loads when the local
site routers ARP for what turn out to be unused IP addresses. This
is an issue when there are large blocks of IP addresses behind a
router. It is less of a problem when there is a relatively small
number of IP addresses behind a router (say one class C worth). Are
others seeing these sorts of problems? What strategies are there for
dealing with this?
What we've come up with so far is blocking inbound (inbound to the
site) port 80 traffic on the LAN interface of the local site router
(so outbound over the LAN interface). This prevents the ARP
problems. It also gives us some indication of which systems are
infected. It has serious undesirable side effects (preventing
legitimate Web access) and so we also have to reenable inbound port
80 access for specific IP addresses that we know are Web servers or
otherwise not vulnerable to Code Red. None of this solves the problem
in any real sense. It just keeps performance reasonable and buys us
time to work on or get others folks to work on real solutions. To
solve the Code Red problem seems to require patching the vulnerable
hosts or taking the vulnerable or infected hosts offline.
---------
Is it possible you are a victim of such an attack?
Chuck
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 1:02 PM
To: [EMAIL PROTECTED]
Subject: ARP Input Problem [7:13003]
I have a weird one....we have a client that is connected to us via
ethernet. We have a 7513 on our side and they have a 2621. They are
receving a LOT of arp input, so much in fact that their router is maxed out
at 100%. The sh proc cpu shows arp input as the culprit....
When you do a sh arp, they only entry that should be in their 2621 is our
7513 with the proper IP and MAC combo....but instead the arp table (in the
clients 2621) goes on forever and shows random IP's associated with the MAC
of our 7513 FA....
Any help would be greatly appreciated.....
Thx
Chris
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13038&t=13003
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
