Filter NTP traffic by packet size?

Jimmy Hess mysidia at gmail.com
Thu Feb 27 06:06:44 UTC 2014


On Wed, Feb 26, 2014 at 11:09 PM, Randy Bush <randy at psg.com> wrote:

> > I only ran the scan once, but had ~130k devices respond.
> is there any modern utility in chargen?
>

Does ne'er-do-wells hitting IRC users with "DCC CHAT" requests  targeted to
trick the victim into connecting to port 19/tcp  count as a modern use?

I  remember,  that was a dirty trick in the late '90s,  that would today be
called a DoS,  since the result was to crash desktop chat software  -----
nonetheless,  it's the only thing I heard of anyone using chargen for until
recently.

Well,  if you  enable chargen on a large number of hostst and directed
broadcasts:  an artificially created chargen storm could be one way to
stres-test a WAN link,  or to help validate QoS prioritization.

Chargen's supposed to be a useful measurement and debugging tool, for
developing a TCP/IP stack.      I think it has little use nowadays, and
there are some more sophisticated tools around today.


I would say chargen may have some utility,  but it should  not be a service
turned on, provided, or offered outside the secure confines of a testing
lab.

In other words:  chargen for testeing in a lab, sure.
Chargen on production devices, when connected to the public internet:  bad
idea

-- 
-JH


More information about the NANOG mailing list