Educause Security Discussion mailing list archives
port 5000 denial of service
From: Kathy Bergsma <kathya () NERSP NERDC UFL EDU>
Date: Wed, 16 Jun 2004 13:52:33 -0400
Yesterday, the University of Florida experienced a denial of service attack between approximately 11:00 am and 1:00 pm. The attack consisted of TCP SYN floods from over 7000 hosts targeted at port 5000 (MS PNP) on random IP addresses within a single class B on our network. Several other universities reported similar attacks on the unisog chat channel. Source addresses originated from all over the world, but a few were from U.S. .edu's. We are attempting to get flow data and malware from the .edu's that participated in the attack to determine the method of communication and control. We suspect that hosts participating the in attack were compromised and being controlled from a botnet, possibly IRC. If anyone has more information, please share it with the UF security team at netirt () ufl edu or 352-392-2061. We hope to disable the botnet so that others might avoid a similar attack. ============= Kathy Bergsma UF Information Security Manager 352-392-2061 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- port 5000 denial of service Kathy Bergsma (Jun 16)
- <Possible follow-ups>
- Re: port 5000 denial of service Ariel Silverstone (Jun 16)