chargen is the new DDoS tool?

Charles Wyble charles-lists at knownelement.com
Tue Jun 11 17:19:27 UTC 2013


Hmmm. Do you not run a default deny at your border, which would catch this sort of thing? Granted thats not always possible I suppose. Maybe block all UDP you dont specifically need? Do you have an ids/ips? If not, look at SecurityOnion on a SPAN port, it will provide great insight into whats happening. 

Generally these sort of legacy services are only used for malicious activity and will light up an ids/ips like a Christmas tree. 

They must be old boxes. I cant think of any recent os distributions which would even have these services listening, let alone installed. 

Bernhard Schmidt <berni at birkenwald.de> wrote:

>Heya everyone,
>
>we have been getting reports lately about unsecured UDP chargen servers
>in our network being abused for reflection attacks with spoofed sources
>
>http://en.wikipedia.org/wiki/Character_Generator_Protocol
>
>| In the UDP implementation of the protocol, the server sends a UDP
>| datagram containing a random number (between 0 and 512) of characters
>| every time it receives a datagram from the connecting host. Any data
>| received by the server is discarded.
>
>We are seeing up to 1500 bytes of response though.
>
>This seems to be something new. There aren't a lot of systems in our
>network responding to chargen, but those that do have a 15x
>amplification factor and generate more traffic than we have seen with
>abused open resolvers.
>
>Anyone else seeing that? Anyone who can think of a legitimate use of
>chargen/udp these days? Fortunately I can't, so we're going to drop
>19/udp at the border within the next hours.
>
>Regards,
>Bernhard

--
Charles Wyble 
charles at knownelement.com / 818 280 7059 
CTO Free Network Foundation (www.thefnf.org)


More information about the NANOG mailing list