Code Red - Network Impact?
Hi Folks, Is anyone seeing router impact caused by all the bogus queries sent out by Code Red? Just wondering if there could be some side effects. Barry --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
you're not alone. we've had to put access-lists in place to restrict port 80 traffic to valid machines in order to reduce router cpu utilisation load caused by large volumes of small packets (bogus queries)
-----Original Message----- From: Barry Raveendran Greene [mailto:bgreene(a)cisco.com] Sent: Tuesday, 7 August 2001 12:19 AM To: nznog(a)list.waikato.ac.nz Cc: petburke(a)cisco.com; rpoll(a)cisco.com Subject: Code Red - Network Impact? Importance: High
Hi Folks,
Is anyone seeing router impact caused by all the bogus queries sent out by Code Red? Just wondering if there could be some side effects.
Barry
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog The information contained in this email message may be confidential. If you are not the intended recipient, any use, distribution, disclosure or copying of this information is prohibited. If you receive this email in error, please tell us by return email and delete it and any attachments from your system.
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, Aug 07, 2001 at 08:18:47AM +1200, Philip Beckmann wrote: you're not alone. we've had to put access-lists in place to restrict port 80 traffic to valid machines in order to reduce router cpu utilisation load caused by large volumes of small packets (bogus queries) Actually, bogus queries aren't that small, almost 4k (3818 bytes in the dumps I have) which is probably large than what most web-servers get on average. Not only that, they are such that they look like: GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ... Content-length: 3379 ^M ^M <binary payload> which probably causes additional cycles to be burnt as web-servers don't generlly see requests like that. --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
fair enough, but thru our netflow collector we find there is a large number of packets of 144bytes (apx 40,000 every 10 minutes) most of which our access-lists are dropping. We recall reading somewhere (but can't find it now to verify) that these packets were the initial probe sent prior to sending the "GET /default.ida?" query
-----Original Message----- From: Chris Wedgwood [mailto:cw(a)f00f.org] Sent: Tuesday, 7 August 2001 10:51 AM To: Philip Beckmann Cc: Barry Raveendran Greene; nznog(a)list.waikato.ac.nz; petburke(a)cisco.com; rpoll(a)cisco.com Subject: Re: Code Red - Network Impact?
On Tue, Aug 07, 2001 at 08:18:47AM +1200, Philip Beckmann wrote:
you're not alone. we've had to put access-lists in place to restrict port 80 traffic to valid machines in order to reduce router cpu utilisation load caused by large volumes of small packets (bogus queries)
Actually, bogus queries aren't that small, almost 4k (3818 bytes in the dumps I have) which is probably large than what most web-servers get on average. Not only that, they are such that they look like:
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ... Content-length: 3379 ^M ^M <binary payload>
which probably causes additional cycles to be burnt as web-servers don't generlly see requests like that.
--cw The information contained in this email message may be confidential. If you are not the intended recipient, any use, distribution, disclosure or copying of this information is prohibited. If you receive this email in error, please tell us by return email and delete it and any attachments from your system.
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, Aug 07, 2001 at 11:13:15AM +1200, Philip Beckmann wrote: fair enough, but thru our netflow collector we find there is a large number of packets of 144bytes (apx 40,000 every 10 minutes) most of which our access-lists are dropping. We recall reading somewhere (but can't find it now to verify) that these packets were the initial probe sent prior to sending the "GET /default.ida?" query are you able to get a dump of these packets at all? oh, and are your ACLs logging too? this can make things _very_ expensive? (in fact, you you know people using logging for ACLs, you can trivially DoS almost any cisco) --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
no wouldn't know how to get a dump of them. yes we're logging the ACL and yes it uses some cpu but the cpu can afford it for now because the ACL has reduced cpu utilisation from 100% to apx 30%
-----Original Message----- From: Chris Wedgwood [mailto:cw(a)f00f.org] Sent: Tuesday, 7 August 2001 11:27 AM To: Philip Beckmann Cc: Barry Raveendran Greene; nznog(a)list.waikato.ac.nz; petburke(a)cisco.com; rpoll(a)cisco.com Subject: Re: Code Red - Network Impact?
On Tue, Aug 07, 2001 at 11:13:15AM +1200, Philip Beckmann wrote:
fair enough, but thru our netflow collector we find there is a large number of packets of 144bytes (apx 40,000 every 10 minutes) most of which our access-lists are dropping. We recall reading somewhere (but can't find it now to verify) that these packets were the initial probe sent prior to sending the "GET /default.ida?" query
are you able to get a dump of these packets at all? oh, and are your ACLs logging too? this can make things _very_ expensive? (in fact, you you know people using logging for ACLs, you can trivially DoS almost any cisco)
--cw The information contained in this email message may be confidential. If you are not the intended recipient, any use, distribution, disclosure or copying of this information is prohibited. If you receive this email in error, please tell us by return email and delete it and any attachments from your system.
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (3)
-
Barry Raveendran Greene
-
Chris Wedgwood
-
Philip Beckmann