chargen is the new DDoS tool?

David Edelman dedelman at iname.com
Tue Jun 11 19:38:45 UTC 2013


I can just see someone spoofing a packet from victimA port 7/UDP to victimB
port 19/UDP.  

--Dave


-----Original Message-----
From: Leo Bicknell [mailto:bicknell at ufp.org] 
Sent: Tuesday, June 11, 2013 3:13 PM
To: Bernhard Schmidt
Cc: nanog at nanog.org
Subject: Re: chargen is the new DDoS tool?


On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt <berni at birkenwald.de> wrote:

> This seems to be something new. There aren't a lot of systems in our 
> network responding to chargen, but those that do have a 15x 
> amplification factor and generate more traffic than we have seen with 
> abused open resolvers.

The number is non-zero?  In 2013?

While blocking it at your border is probably a fine way of mitigating the
problem, I would recommend doing an internal nmap scan for such things,
finding the systems that respond, and talking with their owners.

Please report back to NANOG after talking to them letting us know if the
owners were still using SunOS 4.x boxes for some reason, had accidentally
enabled chargen, or if some malware had set up the servers.  Inquiring minds
would like to know!

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/










More information about the NANOG mailing list