chargen is the new DDoS tool?

Justin M. Streiner streiner at cluebyfour.org
Tue Jun 11 18:55:18 UTC 2013


On Tue, 11 Jun 2013, Vlad Grigorescu wrote:

> We got hit with this in September. UDP/19 became our most busiest port 
> overnight. Most of the systems participating were printers. We dropped 
> it at the border, and had no complaints or ill effects.

Dropping the TCP and UDP "small services" like echo (not ICMP echo), 
chargen and discard as part of default firewall / filter policies probably 
isn't a bad idea.  Those services used to be enabled by default on Cisco 
routers, but that hasn't been since probably around 11.3 (mid-late 90s).

Other than providing another DDoS vector, I'm not aware of any legitimate 
reason to keep these services running and accessible.  As always, YMMV.

jms




More information about the NANOG mailing list