chargen is the new DDoS tool?

Bernhard Schmidt berni at birkenwald.de
Tue Jun 11 16:10:21 UTC 2013


Brielle Bruns <bruns at 2mbit.com> wrote:

Hey,

>> we have been getting reports lately about unsecured UDP chargen servers
>> in our network being abused for reflection attacks with spoofed sources
>>
>> http://en.wikipedia.org/wiki/Character_Generator_Protocol
>>
>> | In the UDP implementation of the protocol, the server sends a UDP
>> | datagram containing a random number (between 0 and 512) of characters
>> | every time it receives a datagram from the connecting host. Any data
>> | received by the server is discarded.
>>
>> We are seeing up to 1500 bytes of response though.
>>
>> This seems to be something new. There aren't a lot of systems in our
>> network responding to chargen, but those that do have a 15x
>> amplification factor and generate more traffic than we have seen with
>> abused open resolvers.
>>
>> Anyone else seeing that? Anyone who can think of a legitimate use of
>> chargen/udp these days? Fortunately I can't, so we're going to drop
>> 19/udp at the border within the next hours.
>>
>
> *checks her calendar*  I for a second worried I might have woken up from 
> a 20 year long dream....
>
> Are these like machines time forgot or just really bag configuration 
> choices?

Not sure. The affected IPs are strongly clustered around the Faculty of
Medicine, so from experience I would assume stone-old boxes. But not
sure yet.

Bernhard





More information about the NANOG mailing list