port 5000 denial of service

[Kathy Bergsma <kathya () NERSP NERDC UFL EDU>]

Yesterday, the University of Florida experienced a denial of service attack
between approximately 11:00 am and 1:00 pm.  The attack consisted of TCP SYN
floods from over 7000 hosts targeted at port 5000 (MS PNP) on random IP
addresses within a single class B on our network.  Several other universities
reported similar attacks on the unisog chat channel.  Source addresses
originated from all over the world, but a few were from U.S. .edu's.  We are
attempting to get flow data and malware from the .edu's that participated in the
attack to determine the method of communication and control.  We suspect that
hosts participating the in attack were compromised and being controlled from a
botnet, possibly IRC.  If anyone has more information, please share it with the
UF security team at netirt () ufl edu or 352-392-2061.  We hope to disable the
botnet so that others might avoid a similar attack.

=============
Kathy Bergsma
UF Information Security Manager
352-392-2061

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.