Network Question

Andrew Brink abrink at ns.brink.cx
Mon Aug 6 17:32:34 CDT 2001 

Yeah, this is a side effect of the new stand of code red.
And yeah, I think the routers should be able to do something about it.

On Mon, Aug 06, 2001 at 12:14:35PM -0500, Mike Coleman wrote:
> Baker <baker at cyborgworkshop.com> writes:
> > You could do that, but I will tell you right now what you are seeing. Lots
> > and Lots of connections to port 80.   I have had over 1000 different hosts
> > hit my cable modem in the past 48 hours according to my firewall.  This
> > probes are now using up more traffic then my normal web surfing does.
> 
> I'm seeing a lot of traffic on my RR cable as well.  I'm getting hits from
> code red, but not a huge number of them (one every few minutes).
> 
> 12:07:18.039529 arp who-has mkc-65-26-104-152.kc.rr.com tell mkc-65-26-104-1.kc.rr.com
> 12:07:18.214158 arp who-has mkc-65-26-104-30.kc.rr.com tell mkc-65-26-104-1.kc.rr.com
> 12:07:18.353074 arp who-has mkc-65-26-104-248.kc.rr.com tell mkc-65-26-104-1.kc.rr.com
> 12:07:18.551524 arp who-has mkc-65-26-104-24.kc.rr.com tell mkc-65-26-104-1.kc.rr.com
> 12:07:18.567719 arp who-has mkc-31-236-26.kc.rr.com tell mkc-31-236-1.kc.rr.com
> 12:07:18.655798 arp who-has mkc-65-26-104-23.kc.rr.com tell mkc-65-26-104-1.kc.rr.com
> 12:07:19.233262 arp who-has mkc-31-237-210.kc.rr.com tell mkc-31-236-1.kc.rr.com
> 12:07:19.585490 arp who-has mkc-31-236-136.kc.rr.com tell mkc-31-236-1.kc.rr.com
> 12:07:19.589454 arp who-has mkc-31-236-205.kc.rr.com tell mkc-31-236-1.kc.rr.com
> 12:07:19.714155 arp who-has mkc-65-26-104-143.kc.rr.com tell mkc-65-26-104-1.kc.rr.com
> 12:07:19.748413 arp who-has mkc-65-26-104-21.kc.rr.com tell mkc-65-26-104-1.kc.rr.com
> 12:07:19.832941 arp who-has mkc-31-237-70.kc.rr.com tell mkc-31-236-1.kc.rr.com
> 12:07:19.924151 arp who-has mkc-31-237-225.kc.rr.com tell mkc-31-236-1.kc.rr.com
> 
> (For the names with four numbers, the four numbers are the IP address.  For
> the names with three numbers, that's the address on 24.* net, I believe.  I'm
> currently 'mkc-65-26-104-73.kc.rr.com'.)
> 
> So maybe comcast is having similar arp storms?  I'm tempted to blame this on
> code red, but I'm not sure.  Shouldn't the routers prevent these arp requests
> from being (apparently) spread so widely over RR's net?
> 
> -- 
> Mike Coleman, mkc at mathdogs.com
> http://www.mathdogs.com
> problem solving, expert software development
> 
>

More information about the Kclug mailing list