Code Red -> Router Memory depletion?

Mailman List Mirror (Read Only)
1

We've seen two routers experiencing problems this AM that appear to be
related to client swervers infected with the IIS Code Red virus. I say
appear because of the timing with cpu profiles on downstream routers
where infections broke out, but I don't have any direct evidence.

The first one was a border router:

Jul 19 08:00:47 5093: 2w5d: %SYS-2-MALLOCFAIL: Memory allocation of
65540 bytes failed from 0x603BF35C, pool Processor, alignment 0
Jul 19 08:00:47 5094: -Process= "BGP Router", ipl= 0, pid= 86

# sh ver
uptime is 4 hours, 46 minutes
System returned to ROM by bus error at PC 0x603BFCFC, address 0xFFFFFFF0
at 05:57:21 UTC Thu Jul 19 2001

The other one is a client aggregation router

Jul 19 12:02:49 192: %SYS-2-MALLOCFAIL: Memory allocation of 1964 bytes
failed from 0x314DA4A, pool Processor, alignment 0
Jul 19 12:02:49 193: -Process= "OSPF Router", ipl= 0, pid= 32

(This router is still functioning, but not allowing any incoming
connections on telnet).

-Mike

2

On Thu, Jul 19, 2001 at 01:00:24PM -0600, Mike Lewinski exclaimed:

We've seen two routers experiencing problems this AM that appear to be
related to client swervers infected with the IIS Code Red virus. I say
appear because of the timing with cpu profiles on downstream routers
where infections broke out, but I don't have any direct evidence.

http://www.securityfocus.com/archive/1/198006

This may or may not be related to the problem you are experiencing, but I
figured it was worth mentioning for those that haven't gotten around to
skimming BUGTRAQ today.

3

On Thu, Jul 19, 2001 at 12:37:37PM -0700, Scott Francis exclaimed:

http://www.securityfocus.com/archive/1/198006

This may or may not be related to the problem you are experiencing, but I
figured it was worth mentioning for those that haven't gotten around to
skimming BUGTRAQ today.

doh ... just read mike's cross-post on BUGTRAQ. never mind me then. I can
only cover lists in sequential order ... :slight_smile:

4

We saw nearly the same thing at about 1pm today. Definately "Code
Red" related. We're seeing over a thousand pps of "Code Red" scanning
traffic. Joy Joy

5

Almost a year ago I started graphing memory utilization on our core
routers. The resulting graphs were so boring to look at (flatlined) that
I forgot about them until today...

A sample 3640 running OSPF but no BGP:
http://www.rockynet.com/memory/

The general trends on the above graph look pretty similar at our borders
also. Graphs that have been flatlined for the last 11 months are
suddenly getting interesting.

Mike

6

Hi,

Anyone have the number to the NOC/NCC for Hostcentric?

tia

-- amar

Telia Net