[unisog] DoS activity: Rapid IP spoofing and TCP port 5999 dest?

Christopher A Bongaarts cab at tc.umn.edu
Wed Oct 29 15:30:22 GMT 2003


In the immortal words of Clarke Morledge:

> We experienced a really weird Denial of Service attack today. 
[...]
> In this particular case, the destination IP was 69.50.166.41, and most of
> the traffic was directed towards TCP 5999.  But we did see some traffic
> going towards a variety of other high number ports, notably 6667,
> presumably an IRC channel?

Pyroshells Internet Services PYROSHELLS (NET-69-50-160-0-2) 
                                  69.50.160.0 - 69.50.167.255

They are well known in the IRC community as a commercial shell
provider.  So this is almost certainly an attack on an IRC bot being
run from there.

(I see a lot of confusion on this list on how IRC works; I wonder if
it would be of value to make a network/system-admin targetted FAQ to
help increase understanding.  It's an ancient protocol by Internet
time, so it's not surprising that there is confusion.)

%%  Christopher A. Bongaarts  %%  cab at tc.umn.edu       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%



More information about the unisog mailing list