Synergy: "I had forgetten completely about that... The ARP table. Chances are, your 2600 doesn't have a memory upgrade, so it's very likely that the arp table is filling up, causing the router to go into brainlock trying to deal with them all... That would explain why the system progressively gets worse after a reboot."

I wondered about that -- ARP cache growth -- but couldn't see why it would overwhelm even an anemic 2600 unless Code Red was generating a broadcast in its random scan (maybe it is) or unless @HOME is supernetted such that it has huge numbers of hosts on each customer net (that may be the case for all I know).

Anyhow, I looked again and found CIAC/Cisco advisories that smell very much like what Doug describes. The CIAC advisory:

"The nature of the "Code Red" worm's scan of random IP addresses and the resulting sharp increase in network traffic can noticeably affect Cisco routers running Cisco IOS software, depending on the device, its current configuration, and the topology of the network. Unusually high CPU utilization and memory starvation may occur, and it can be mitigated in many cases simply by refining the configuration. Troubleshooting and configuration
recommendations are available at this location: http://www.cisco.com/warp/public/63/ts_codred_worm.shtml"

"high CPU utilization and memory starvation" -- perfect. Still I said ARP? broadcasts? So looked at that Cisco URL? In fact one explanation is along the lines of:

"Reducing ARP Input Memory Usage...
A huge memory usage in ARP Input occurs when there is a static route pointing to a broadcast interface, such as the following: ip route 0.0.0.0 0.0.0.0 Vlan3

Every packet for the default route will be sent to the VLAN3, but since there is no next hop IP address specified, the router will send an ARP request for the destination IP address, and the next hop router for that destination will reply with its own MAC address, unless proxy ARP is disabled. This creates an additional entry in the ARP table where the destination IP address of the packet will be mapped to the next-hop MAC address. Since the "Code Red" worm sends packets to random IP addresses, this adds a new ARP entry for each random destination address and consumes more and more memory under the ARP Input process."

Behaviorally, this maps pretty well to what Doug describes, but just not sure why an admin on an average network would map static route to broadcast as described. Anyhow, the tech note on that URL lists a whole host of other things that his network person should check out including a bug in an earlier revision of 26xx NAT code.

As above. See below. Will follow with interest. *

Jim

* The shortest possible chart entry that'll qualify a consulting doc to collect their fee! (Not fashioning myself a consulting specialist, but I just love that line!)