nanog mailing list archives
RE: TCP session disconnection caused by Code Red?
From: James Smith <jsmith () PRESIDIO com>
Date: Mon, 6 Aug 2001 16:38:21 -0400
I can see "connection refused" being caused by lack of resources (memory, not CPU) caused by ARP requests not being resolved and waiting to time out. What happens is that all the outstanding ARP requests use up all available memory, so no buffers can be allocated for new incoming connections. Send enough requests fast enough, looking for enough different IP's, memory gets exhausted. Been there, seen it happen, tweaked the WellFleet/Bay/Nortel knob to limit the amount of space used for ARP resolution, and solved the problem caused by too many outstanding ARPs. Of course, I could have stuffed in more memory, but limiting the space used for the process was easier. James H. Smith II NNCDS NNCSE Systems Engineer The Presidio Corporation -----Original Message----- From: George William Herbert [mailto:gherbert () retro com] Sent: Monday, August 06, 2001 2:57 PM To: mike harrison; nanog () merit edu Subject: Re: TCP session disconnection caused by Code Red? mike harrison <meuon () highertech net> wrote
Blaz Zupan <blaz () amis net> wrote:For the last few days, our network seems to be basically unreachable from
the
outside. Most incoming TCP sessions (web requests, incoming mail, telnet sessions, etc.) often fail with a simple "Connection refused" like nobody
is
Your routers are brain dead from the load.. routers that are used to handling a few thousand connections are being asked to handle 10's of thousands. 1 good 1000+ address scan from an ISDN user kills my Lucent/Ascend TNT unless we filter for it.
I've been told (but not given permission to forward details of who/how/what) that some major sites with a single router and relatively flat network topology are dying due to the ARP request flood that is being generated by Code Red scans on the inside of their border router choking the router. Check the rate of ARP requests coming off your border router and see if it seems excessive; if so, that may be it. -george william herbert gherbert () retro com
Current thread:
- Re: TCP session disconnection caused by Code Red?, (continued)
- Re: TCP session disconnection caused by Code Red? mike harrison (Aug 06)
- Re: TCP session disconnection caused by Code Red? Stephen J. Wilcox (Aug 06)
- Re: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)
- Re: TCP session disconnection caused by Code Red? Kevin Gannon (Aug 06)
- Re: TCP session disconnection caused by Code Red? Alex Bligh (Aug 06)
- Re: TCP session disconnection caused by Code Red? Craig Partridge (Aug 06)
- Re: TCP session disconnection caused by Code Red? Eric A. Hall (Aug 06)
- Re: TCP session disconnection caused by Code Red? Daniel Senie (Aug 06)
- RE: TCP session disconnection caused by Code Red? David Schwartz (Aug 06)
- RE: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)