[163549] in North American Network Operators' Group
Re: chargen is the new DDoS tool?
daemon@ATHENA.MIT.EDU (Vlad Grigorescu)
Tue Jun 11 12:20:39 2013
From: Vlad Grigorescu <vladg@cmu.edu>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 11 Jun 2013 15:58:57 +0000
In-Reply-To: <kp7gbj$it9$1@ger.gmane.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We got hit with this in September. UDP/19 became our most busiest port over=
night. Most of the systems participating were printers. We dropped it at th=
e border, and had no complaints or ill effects.
=97-Vlad Grigorescu
Carnegie Mellon University
On Jun 11, 2013, at 11:39 AM, Bernhard Schmidt <berni@birkenwald.de> wrote:
> Heya everyone,
>=20
> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
>=20
> http://en.wikipedia.org/wiki/Character_Generator_Protocol
>=20
> | In the UDP implementation of the protocol, the server sends a UDP
> | datagram containing a random number (between 0 and 512) of characters
> | every time it receives a datagram from the connecting host. Any data
> | received by the server is discarded.
>=20
> We are seeing up to 1500 bytes of response though.
>=20
> This seems to be something new. There aren't a lot of systems in our
> network responding to chargen, but those that do have a 15x
> amplification factor and generate more traffic than we have seen with
> abused open resolvers.
>=20
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these days? Fortunately I can't, so we're going to drop
> 19/udp at the border within the next hours.
>=20
> Regards,
> Bernhard
