Re: [nsp] TCP connections randomly reset

From: Blaz Zupan (blaz@gold.amis.net)
Date: Mon Aug 06 2001 - 13:44:55 EDT


Update concerning my problems. The trouble seems to be caused by Code Red.
Yes, Code Red.

I have applied the following access list on our internet connection:

access-list 170 deny tcp any any rst
access-list 170 permit ip any any

Looking at the counters, about 20% of our incomming packets are currently TCP
RST packets. Normally this should be more like 1%. After applying this access
list, all incoming TCP connections seem to work just fine.

Most of the RST packets are destined for port 80 on unused IP addresses, so I
guess this is Code Red infected machines scanning our network for possible
victims. Why this causes hearburn for our Cisco is yet to be determined.

I have reported this to psirt@cisco.com.

Blaz Zupan, Medinet d.o.o, Trzaska 85, SI-2000 Maribor, Slovenia
E-mail: blaz@amis.net, Tel: +386-2-320-6320, Fax: +386-2-320-6325



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:48 EDT