[163544] in North American Network Operators' Group
chargen is the new DDoS tool?
daemon@ATHENA.MIT.EDU (Bernhard Schmidt)
Tue Jun 11 11:40:30 2013
To: nanog@nanog.org
From: Bernhard Schmidt <berni@birkenwald.de>
Date: Tue, 11 Jun 2013 15:39:32 +0000 (UTC)
X-Complaints-To: usenet@ger.gmane.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Heya everyone,
we have been getting reports lately about unsecured UDP chargen servers
in our network being abused for reflection attacks with spoofed sources
http://en.wikipedia.org/wiki/Character_Generator_Protocol
| In the UDP implementation of the protocol, the server sends a UDP
| datagram containing a random number (between 0 and 512) of characters
| every time it receives a datagram from the connecting host. Any data
| received by the server is discarded.
We are seeing up to 1500 bytes of response though.
This seems to be something new. There aren't a lot of systems in our
network responding to chargen, but those that do have a 15x
amplification factor and generate more traffic than we have seen with
abused open resolvers.
Anyone else seeing that? Anyone who can think of a legitimate use of
chargen/udp these days? Fortunately I can't, so we're going to drop
19/udp at the border within the next hours.
Regards,
Bernhard
