[163552] in North American Network Operators' Group
Re: chargen is the new DDoS tool?
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Tue Jun 11 14:56:05 2013
Date: Tue, 11 Jun 2013 14:55:18 -0400 (EDT)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <1202BE242E080642B0CD0AD0A03E8552C88F17@PGH-MSGMB-03.andrew.ad.cmu.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 11 Jun 2013, Vlad Grigorescu wrote:
> We got hit with this in September. UDP/19 became our most busiest port
> overnight. Most of the systems participating were printers. We dropped
> it at the border, and had no complaints or ill effects.
Dropping the TCP and UDP "small services" like echo (not ICMP echo),
chargen and discard as part of default firewall / filter policies probably
isn't a bad idea. Those services used to be enabled by default on Cisco
routers, but that hasn't been since probably around 11.3 (mid-late 90s).
Other than providing another DDoS vector, I'm not aware of any legitimate
reason to keep these services running and accessible. As always, YMMV.
jms
