tanstaafl: "As long as we are off topic... here's another. [...]. Our chief engineer then goes up and reboots something (can you reboot a router?) and everything is fine again for a few minutes and then it starts slowing down again. This cycle takes about an hour, perhaps two hours to run. He thought it was a bad router, replaced it, problem still remains. Any ideas?"

Doug,

I read some of the follow-ons. Interesting puzzle. Sounds like it will take more diagnostic work. If the Cisco 2600 is the first thing with an IP address that packets hit (from your ISP), then the cable "modem" is set in bridging mode and it seems unlikely that it would have much to do with this. The fact that rebooting the router temporarily improves the situation (have you measured this empirically?) supports that thought as well. Some Cisco products have been affected by Code Red, but most are IIS-based software and the one notable hardware product that I am aware of are the 600-series web-manageable SOHO routers. No mention of problems with 26xx-series by Cisco, and I wasn't aware that they include HTTPD function, but, if so, you should be able (like with the 600s) to turn it off at the command line (or move it to a higher, non-standard port). From what I read (I have a Cisco 675 here, so I care) Code Red overflow disables 600s -- kills 'em dead -- and I can't tell from Cisco docs whether this happens gradually or immediately.

Back to the router....no reason why this should be so, but the gradual degradation of performance smells of a router with insufficient memory that is accruing an overwhelmingly large route table over time (or some other cache that I can't really imagine) that is taxing the CPU/router. There are *so* many 25xx/26xx routers in service as corporate boundary routers out there that I'd be surprised if there were a specific Code Red vulnerability with those product that hasn't been documented.

Code Red includes a randomizer that will attempt connections to a long, unpredictable list of IP addresses. This makes me wonder if Code Red ir reaching something "inside" your Cisco boundary that is generating traffic, loading the router (perhaps loading route table/cache, though that still seems like a bit of voodoo), or perhaps hitting the BRB (Big Red Button -- I know it's really a small, black button on the 2600) on the Cisco doesn't really do anything to clear the Cisco, but simply interrupts loading connections from inside your network (until they accumulate again and overwhelm the Cisco.

Pretty gross speculation. It does sound like time to find a sniffer and see what's connecting to what. If the Cisco is your only line of defense (are you running routable "public" IP addresses on your internal hosts or is the 2600 configured for Network Address Translation?), seems like after you take a look with a sniffer and map your network/connection, that someone at minimum would want to build some access control lists on the Cisco.

Interested to hear what develops.

Jim