Educause Security Discussion mailing list archives

Re: Any ideas?

From: Paul Dokas <dokas () CS UMN EDU>
Date: Mon, 19 Jan 2004 22:20:04 -0600

On Mon, 19 Jan 2004 16:27:15 -0500, "Piscitello, Frank" <frank () WCUPA EDU> wrote:

I have what I'm assuming is a worm/scanner that is attempting to connect
to 68.202.199.235 on port 6667. The mystery is that the source IP seems
to be every address on my one student subnet. The IP packet is 60bytes
and the Frame is 74 bytes. There is no actual data.

Any ideas?
-Frank


Spoofed SYN flood.  I know because I've got one in my dorms that's attacking
random cable modems even as I type this.  I also had a large outbound SYN
flood against 68.202.199.235 earlier tonight.

I'm still attempting to track down the offending host on my network.

Paul
--
Paul Dokas                                            dokas () cs umn edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Any ideas? Piscitello, Frank (Jan 19)
- <Possible follow-ups>
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Christopher Condie (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Matthew Keller (Jan 19)
- Re: Any ideas? Clyde Hoadley (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)