 |
 |
Over the past couple weeks we have noticed UDP and UDP fragment DoS attacks being launched from computers on the MSU network. It poses a serious threat since the UDP protocol provides no flow-control... a few computers connected at 100 Mbps can send a building router to its knees processing such traffic. From a live system we found that it connected to an Internet Relay Chat (IRC) network running on a port typical used for DNS traffic (probably to hide as this commonly used service and by-pass typically firewalled ports). It connects to the following servers, the name is what the servers refer themselves as: 213.133.36.252, port 53 (eu.ownage.com) 212.67.207.112, port 53 (eu2.ownage.com) 66.28.104.43, port 53 (us.ownage.com) These IRC "bots" act as agents for some remote, admin user who can send commands to the bots to launch the attacks. If you have the ability to do so, I highly recommend blocking the above IP addresses at your gateway. Doing so will prevent the administrative channel from being established, but will also allow you to determine compromised computers. Hope this helps. Dennis Kelly Network Administrator College of Engineering Michigan State University