North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Code Red
Here at Merit we are seeing large numbers of Code Red infected hosts. These hosts may be on our regional network MichNet or they may be elsewhere out on the greater Internet. It is the port scanning of random IP address that causes problems, because the scanning in turn is causing network problems due to heavy ARP loads when the local site routers ARP for what turn out to be unused IP addresses. This is an issue when there are large blocks of IP addresses behind a router. It is less of a problem when there is a relatively small number of IP addresses behind a router (say one class C worth). Are others seeing these sorts of problems? What strategies are there for dealing with this?
What we've come up with so far is blocking inbound (inbound to the site) port 80 traffic on the LAN interface of the local site router (so outbound over the LAN interface). This prevents the ARP problems. It also gives us some indication of which systems are infected. It has serious undesirable side effects (preventing legitimate Web access) and so we also have to reenable inbound port 80 access for specific IP addresses that we know are Web servers or otherwise not vulnerable to Code Red. None of this solves the problem in any real sense. It just keeps performance reasonable and buys us time to work on or get others folks to work on real solutions. To solve the Code Red problem seems to require patching the vulnerable hosts or taking the vulnerable or infected hosts offline.
How long is it going to take to get every Windows NT, Windows 2000, and Windows XP system patched? We may be at this for a long time. I am not looking forward to this.
Any ideas for other approaches to the problem?