Re: Peak Activity of Red Worm?

[Ryan Russell <ryan () securityfocus com>]

On Mon, 23 Jul 2001, Tim Brown wrote:

> Anyone have an idea on when the peak of activity for Red Worm occurred?

The worm changed modes on 7/19 17:00 PDT, 7/19 20:00 EDT.  It changed from
spreading mode (what I would expect to cause a load balancer trouble) to
attack Whitehouse mode (which shouldn't cause extra ARP entries, AFAIK.)

I'm a bit puzzled why this should affect the ARP tables anyway... as those
would normally only be for your LAN nodes.  Unless you've got proxy ARP
turned on for the entire Internent or something... which model of load
balancer?

                                Ryan

> We lost a load balancer last Friday (7/20) at 1300 (EDT) due to
> exceeding the max size of the arp table.  Just trying to figure out if
> it could be associated in any way.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com