[unisog] DoS activity: Rapid IP spoofing and TCP port 5999 dest?

Clarke Morledge chmorl at wm.edu
Thu Oct 30 21:47:27 GMT 2003

As a follow-up, we are judging that our DoS problems were caused by
Gaobot/Agobot infections, as Julian noted.

The attack vectors are three: (1) RPC DCOM vulnerabilities, (2) weak
passwords on MS file shares, or (3) blank admin passwords.

In a second DoS attack that I mentioned, we also had the spoofing with
packets directed towards a single IP, but with a variety of ports (not
5999).  In this case, destination TCP ports included 22, 25, and 110.

So based on the comments from others, it looks like the DoS intended was
by someone on IRC to hurt the destination IP.  Unfortunately, the rapid
spoofing rate ends up draining resources on routers that must continue to
create and tear down flows to handle the increased load.

Also, on a different note, we are seeing a huge increase in scans for TCP
135, 139, and 445 internally.  And we are seeing infection attempts for
the first major RPC DCOM vulnerability (announced during the early summer)
for the first time on ports 139 and 445 (with Blaster & Nachi, we only saw

So is this the new big Nachi/Blaster worm?

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
chmorl at wm.edu

On Wed, 29 Oct 2003, Julian Y. Koh wrote:

> At 20:32 -0500 10/28/2003, Clarke Morledge wrote:
> >In this particular case, the destination IP was, and most of
> >the traffic was directed towards TCP 5999.  But we did see some traffic
> >going towards a variety of other high number ports, notably 6667,
> >presumably an IRC channel?
> We had a similar episode a month or so ago.  Turned out to be a whole bunch
> of Gaobot/Agobot-infected machines.

More information about the unisog mailing list