nanog mailing list archives
Re: TCP session disconnection caused by Code Red?
From: Daniel Senie <dts () senie com>
Date: Mon, 06 Aug 2001 18:37:42 -0400
At 06:14 PM 8/6/01, Eric A. Hall wrote:
Alex Bligh wrote: > 1. RFC826 appears to mandate only positive ARP caching. I can't > see a reason why negative ARP caching shouldn't work this > way: > > Keep only one ARP request in flight at a time. Retry ARPs > a maximum of [5] times, separated by at least [1] second. > After that, cache non-existance of a h/w address for that > IP address for normal positive caching time. The immediate problem with this is that it requires a *MUCH* larger ARP cache. Rather than needing enough memory for a couple of thousand active entries (the current norm for middle-of-the road routers), you need enough room for every possible address on every attached segment. [unsubstantiated conjecture] This may be what's killing the cable networks. If they are making room in the NAS ARP caches for the addresses that are being probed, then they are making room by flushing the "real" ARP entries, resulting in a constant flush/load cycle. [/uc, but exemplary of the problem with negative ARP caching.]
Adding to this conjecture, I'm seeing VERY high ARP rates (arp broadcast packets) arriving via the cable modem in my office. Also seeing a high rate of Code Red type attacks attempted at the machines attached. Firewall is just catching and logging them.
----------------------------------------------------------------- Daniel Senie dts () senie com Amaranth Networks Inc. http://www.amaranth.com
Current thread:
- Re: TCP session disconnection caused by Code Red?, (continued)
- Re: TCP session disconnection caused by Code Red? mike harrison (Aug 06)
- Re: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)
- Re: TCP session disconnection caused by Code Red? mike harrison (Aug 06)
- Re: TCP session disconnection caused by Code Red? Stephen J. Wilcox (Aug 06)
- Re: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)
- Re: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)
- Re: TCP session disconnection caused by Code Red? mike harrison (Aug 06)
- Re: TCP session disconnection caused by Code Red? Kevin Gannon (Aug 06)
- Re: TCP session disconnection caused by Code Red? Alex Bligh (Aug 06)
- Re: TCP session disconnection caused by Code Red? Craig Partridge (Aug 06)
- Re: TCP session disconnection caused by Code Red? Eric A. Hall (Aug 06)
- Re: TCP session disconnection caused by Code Red? Daniel Senie (Aug 06)
- RE: TCP session disconnection caused by Code Red? David Schwartz (Aug 06)
- RE: TCP session disconnection caused by Code Red? Blaz Zupan (Aug 06)