[unisog] DoS activity: Rapid IP spoofing and TCP port 5999 dest?
Christopher A Bongaarts
cab at tc.umn.edu
Wed Oct 29 15:30:22 GMT 2003
In the immortal words of Clarke Morledge:
> We experienced a really weird Denial of Service attack today.
> In this particular case, the destination IP was 126.96.36.199, and most of
> the traffic was directed towards TCP 5999. But we did see some traffic
> going towards a variety of other high number ports, notably 6667,
> presumably an IRC channel?
Pyroshells Internet Services PYROSHELLS (NET-69-50-160-0-2)
188.8.131.52 - 184.108.40.206
They are well known in the IRC community as a commercial shell
provider. So this is almost certainly an attack on an IRC bot being
run from there.
(I see a lot of confusion on this list on how IRC works; I wonder if
it would be of value to make a network/system-admin targetted FAQ to
help increase understanding. It's an ancient protocol by Internet
time, so it's not surprising that there is confusion.)
%% Christopher A. Bongaarts %% cab at tc.umn.edu %%
%% Internet Services %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the unisog