nanog mailing list archives

RE: TCP session disconnection caused by Code Red?

From: James Smith <jsmith () PRESIDIO com>
Date: Mon, 6 Aug 2001 16:38:21 -0400

I can see "connection refused" being caused by lack of resources (memory,
not CPU) caused by ARP requests not being resolved and waiting to time out. 

  What happens is that all the outstanding ARP requests use up all available
memory, so no buffers can be allocated for new incoming connections. Send
enough requests fast enough, looking for enough different IP's, memory gets
exhausted.

  Been there, seen it happen, tweaked the WellFleet/Bay/Nortel knob to limit
the amount of space used for ARP resolution, and solved the problem caused
by too many outstanding ARPs. Of course, I could have stuffed in more
memory, but limiting the space used for the process was easier.

James H. Smith II  NNCDS NNCSE
Systems Engineer
The Presidio Corporation


-----Original Message-----
From: George William Herbert [mailto:gherbert () retro com]
Sent: Monday, August 06, 2001 2:57 PM
To: mike harrison; nanog () merit edu
Subject: Re: TCP session disconnection caused by Code Red? 





mike harrison <meuon () highertech net> wrote

Blaz Zupan <blaz () amis net> wrote:

For the last few days, our network seems to be basically unreachable from

the

outside. Most incoming TCP sessions (web requests, incoming mail, telnet
sessions, etc.) often fail with a simple "Connection refused" like nobody

is


Your routers are brain dead from the load.. routers that are used to
handling a few thousand connections are being asked to handle 10's of
thousands. 1 good 1000+ address scan from an ISDN user kills my
Lucent/Ascend TNT unless we filter for it.


I've been told (but not given permission to forward details of
who/how/what) that some major sites with a single router
and relatively flat network topology are dying due to the ARP
request flood that is being generated by Code Red scans on the
inside of their border router choking the router.  Check the
rate of ARP requests coming off your border router and see if
it seems excessive; if so, that may be it.


-george william herbert
gherbert () retro com

Current thread:

Re: TCP session disconnection caused by Code Red?, (continued)
- - - Re: TCP session disconnection caused by Code Red? mike harrison (Aug 06)
    - Re: TCP session disconnection caused by Code Red? Stephen J. Wilcox (Aug 06)
    - Re: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)
- Re: TCP session disconnection caused by Code Red? George William Herbert (Aug 06)
  - Re: TCP session disconnection caused by Code Red? Kevin Gannon (Aug 06)
  - Re: TCP session disconnection caused by Code Red? Alex Bligh (Aug 06)
    - Re: TCP session disconnection caused by Code Red? Craig Partridge (Aug 06)
    - Re: TCP session disconnection caused by Code Red? Eric A. Hall (Aug 06)
    - Re: TCP session disconnection caused by Code Red? Daniel Senie (Aug 06)
    - RE: TCP session disconnection caused by Code Red? David Schwartz (Aug 06)
- RE: TCP session disconnection caused by Code Red? James Smith (Aug 06)
  - RE: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)
- Re: TCP session disconnection caused by Code Red? Jim Warner (Aug 06)