DoS activity: Rapid IP spoofing and TCP port 5999 dest?

Clarke Morledge chmorl at wm.edu
Wed Oct 29 01:32:25 GMT 2003


We experienced a really weird Denial of Service attack today. 

Four systems across our campus at the same time (between 1:00 and 1:30 PM
EST) started to send tons of TCP SYN packets to a single IP destination
address.  However, all of the sources were spoofed IPs belonging to
networks different from ours.  We were seeing packets being generated at
about 7000 per second.  The generation of the spoofed IPs appeared to be
random.

In this particular case, the destination IP was 69.50.166.41, and most of
the traffic was directed towards TCP 5999.  But we did see some traffic
going towards a variety of other high number ports, notably 6667,
presumably an IRC channel?

Unfortunately, this created a DoS on our flow-based routers since the CPU
overhead required to keep up with creating new flows (and tearing down old
ones) effectively wiped out our routers. 

We blocked the destination IP at our campus edge from sending any packets
in, and we had to apply anti-spoofing measures at each of our interior
routed interfaces to minimize the DoS (we normally only employ
anti-spoofing measures at the campus edge).  We knocked the systems off of
the net, but we are still chasing down the machines to get a look at what
is on them.

Then a few hours later, we noticed another DoS attack in the same style.
However, a different destination IP was involved with different locally
infected systems.  Same destination port range, same IP spoofing, etc.  
Unfortunately, the attack only lasted a few minutes before it disappeared.

We have not been able to identify the trigger for the DoS.  Any insight
from others would be greatly appreciated.   I can not figure out if the
DoS we saw was simply an end in and of itself, or if it was meant to be
cloak for something else.

I have included a sample tcpdump output involving one infected system
below....


Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
757-221-1536
chmorl at wm.edu


----------------------------------------------------------------------

15:43:49.861912 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
219.188.116.173.1240 > 69.50.166.41.5999: S 783810560:783810560(0) win
16384
15:43:49.861949 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
179.50.146.111.1862 > 69.50.166.41.6667: S 803864576:803864576(0) win
16384
15:43:49.862004 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 179.164.18.3.1990
> 69.50.166.41.5999: S 1158348800:1158348800(0) win 16384
15:43:49.862058 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
241.253.233.86.1999 > 69.50.166.41.7955: S 721027072:721027072(0) win
16384
15:43:49.862167 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
29.116.248.238.1822 > 69.50.166.41.6283: S 1406926848:1406926848(0) win
16384
15:43:49.862170 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
188.168.132.76.1027 > 69.50.166.41.5999: S 1788280832:1788280832(0) win
16384
15:43:49.862276 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 47.186.163.58.1199
> 69.50.166.41.6667: S 1542848512:1542848512(0) win 16384
15:43:49.862284 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 114.40.118.84.1914
> 69.50.166.41.5999: S 1717698560:1717698560(0) win 16384
15:43:49.862387 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 190.87.44.124.1725
> 69.50.166.41.8383: S 1784217600:1784217600(0) win 16384
15:43:49.862391 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
12.239.211.207.1004 > 69.50.166.41.2989: S 1817378816:1817378816(0) win
16384
15:43:49.862442 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
38.228.236.123.1045 > 69.50.166.41.5999: S 1818361856:1818361856(0) win
16384
15:43:49.862500 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
157.95.216.150.1899 > 69.50.166.41.6667: S 734199808:734199808(0) win
16384
15:43:49.862550 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
173.236.28.111.1427 > 69.50.166.41.5999: S 2047672320:2047672320(0) win
16384
15:43:49.862605 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
173.226.162.197.1072 > 69.50.166.41.8918: S 307560448:307560448(0) win
16384
15:43:49.862669 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 21.196.228.91.1055
> 69.50.166.41.4614: S 561250304:561250304(0) win 16384
15:43:49.862723 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
238.127.176.224.1032 > 69.50.166.41.5999: S 934739968:934739968(0) win
16384
15:43:49.862777 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 57.36.75.35.1502 >
69.50.166.41.6667: S 1140391936:1140391936(0) win 16384
15:43:49.862830 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
181.240.254.57.1234 > 69.50.166.41.5999: S 720502784:720502784(0) win
16384
15:43:49.862885 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
208.230.198.187.1174 > 69.50.166.41.2843: S 913965056:913965056(0) win
16384
15:43:49.862937 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 209.201.54.0.1160
> 69.50.166.41.2501: S 575930368:575930368(0) win 16384
15:43:49.863013 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 242.165.72.64.1031
> 69.50.166.41.5999: S 880148480:880148480(0) win 16384
15:43:49.863051 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
17.150.170.126.1909 > 69.50.166.41.6667: S 1183514624:1183514624(0) win
16384
15:43:49.863102 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
17.234.157.120.1970 > 69.50.166.41.5999: S 1259732992:1259732992(0) win
16384
15:43:49.863155 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
143.22.162.152.1212 > 69.50.166.41.5757: S 1695023104:1695023104(0) win
16384
15:43:49.863207 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
166.30.197.105.1819 > 69.50.166.41.8691: S 364511232:364511232(0) win
16384
15:43:49.863261 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 33.58.93.205.1451
> 69.50.166.41.5999: S 83427328:83427328(0) win 16384
15:43:49.865017 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 51.28.238.149.1590
> 69.50.166.41.6667: S 740163584:740163584(0) win 16384



More information about the unisog mailing list