The Cisco routers affected all have unpatched IIS running on them. The 600
series DSL routers are affected by an unrelated vulnerability. Basically,
from what I understand of the problem, the traffic generated from the port
scans on 80 fill up the router's memory (various ways of doing that, qv.
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml) and at
that point the router stops forwarding packets. At least that what I get out
of it.

> -----Original Message-----
> From: Jonathan Hutchins [mailto:hutchins@opus1.com]
> Sent: Wednesday, August 08, 2001 4:10 PM
> To: kclug@kclug.org
> Subject: Re: Code Red (II) Question
> 
> 
> ----- Original Message -----
> From: "Don Erickson" <derick@shark.zeni.net>
> 
> > Does anyone have a grasp as to how this virus could be 
> taking down routers
> > or dsl modems?  Certainly the modem cannot act as a host, and the
> > bandwidth utilized by the scans is trivial...
> 
> I would guess that there is a vulnerability that "looks like" 
> the IE hole to
> the virus, which either overflows something or lodges unworkable code
> somewhere.
> 
> People are making noise like the volume of scans is 
> significant, due to the
> number of distributed sources for the scans.  The DOS phase 
> attempts to take
> out a specific host (ie whitehouse.gov), but the contagion phase is
> apparently causing bandwidth problems.
> 
> 
> 
> majordomo@kclug.org
>