Re: Peak Activity of Red Worm?

From: Ryan Russell (ryanat_private)
Date: Mon Jul 23 2001 - 13:11:24 PDT

  • Next message: Greg Owen: "GET x HTTP/1.0"

    On Mon, 23 Jul 2001, Tim Brown wrote:
    
    > Anyone have an idea on when the peak of activity for Red Worm occurred?
    
    The worm changed modes on 7/19 17:00 PDT, 7/19 20:00 EDT.  It changed from
    spreading mode (what I would expect to cause a load balancer trouble) to
    attack Whitehouse mode (which shouldn't cause extra ARP entries, AFAIK.)
    
    I'm a bit puzzled why this should affect the ARP tables anyway... as those
    would normally only be for your LAN nodes.  Unless you've got proxy ARP
    turned on for the entire Internent or something... which model of load
    balancer?
    
    				Ryan
    
    > We lost a load balancer last Friday (7/20) at 1300 (EDT) due to
    > exceeding the max size of the arp table.  Just trying to figure out if
    > it could be associated in any way.
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 21:27:11 PDT