Educause Security Discussion mailing list archives
Re: week-long DDoS problem
From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 3 Aug 2004 10:44:39 -0500
Follow-up to the below, and thanks to those who've offered to help by looking for this activity on their campuses. It may be an inconclusive finding, but we've observed several participating systems containing variants of the Backdoor trojan which, upon waking, [this variant] opens an IRC session to: cardzvault.org, IRC, 6667/tcp -and/or- cardzvault.com, IRC, 6667/tcp (Belize registry; if only it were a cruise ship) You may wish to inspect your logs for similar IRC activity. From IRC it receives instructions on where/when to fire DDoS action. We've blocked that host/port at the border. Since the kidz likely lurk this list, they'll just shift to another control channel in their next copycat variant. Used to be, a script kid would have to fire off dozens of DDoS bots at one time to really soak a campus' pipe, but now with 100MMB uplinks, it only takes a few at a time (so they can keep more in reserve for next time). They surely join our users in thanking us for the uplink b/w. Gary Dobbins wrote:
Have any of you been catching bursts of DDoS activity emanating from infected Windows PC's around campus during the last ~7 days? Each burst here has been about 4-5 systems, all focused on one host at a small California ISP. We've had about 4-5 rounds of activity occur here in recent days, and those participating machines we've inspected seem, at first reports from those who inspect them, to contain different agents. Since we're not certain if one agent is common to all, it's slowing our ability to block them. -- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- week-long DDoS problem Gary Dobbins (Aug 02)
- <Possible follow-ups>
- Re: week-long DDoS problem Gary Dobbins (Aug 03)