[163546] in North American Network Operators' Group
Re: chargen is the new DDoS tool?
daemon@ATHENA.MIT.EDU (Bernhard Schmidt)
Tue Jun 11 12:11:10 2013
To: nanog@nanog.org
From: Bernhard Schmidt <berni@birkenwald.de>
Date: Tue, 11 Jun 2013 16:10:21 +0000 (UTC)
X-Complaints-To: usenet@ger.gmane.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Brielle Bruns <bruns@2mbit.com> wrote:
Hey,
>> we have been getting reports lately about unsecured UDP chargen servers
>> in our network being abused for reflection attacks with spoofed sources
>>
>> http://en.wikipedia.org/wiki/Character_Generator_Protocol
>>
>> | In the UDP implementation of the protocol, the server sends a UDP
>> | datagram containing a random number (between 0 and 512) of characters
>> | every time it receives a datagram from the connecting host. Any data
>> | received by the server is discarded.
>>
>> We are seeing up to 1500 bytes of response though.
>>
>> This seems to be something new. There aren't a lot of systems in our
>> network responding to chargen, but those that do have a 15x
>> amplification factor and generate more traffic than we have seen with
>> abused open resolvers.
>>
>> Anyone else seeing that? Anyone who can think of a legitimate use of
>> chargen/udp these days? Fortunately I can't, so we're going to drop
>> 19/udp at the border within the next hours.
>>
>
> *checks her calendar* I for a second worried I might have woken up from
> a 20 year long dream....
>
> Are these like machines time forgot or just really bag configuration
> choices?
Not sure. The affected IPs are strongly clustered around the Faculty of
Medicine, so from experience I would assume stone-old boxes. But not
sure yet.
Bernhard
