[163553] in North American Network Operators' Group
Re: chargen is the new DDoS tool?
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Tue Jun 11 15:13:52 2013
From: Leo Bicknell <bicknell@ufp.org>
In-Reply-To: <kp7gbj$it9$1@ger.gmane.org>
Date: Tue, 11 Jun 2013 14:13:15 -0500
To: Bernhard Schmidt <berni@birkenwald.de>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_3F163F03-8ED9-4AA7-9D25-97E000769F87
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt <berni@birkenwald.de> =
wrote:
> This seems to be something new. There aren't a lot of systems in our
> network responding to chargen, but those that do have a 15x
> amplification factor and generate more traffic than we have seen with
> abused open resolvers.
The number is non-zero? In 2013?
While blocking it at your border is probably a fine way of mitigating =
the problem, I would recommend doing an internal nmap scan for such =
things, finding the systems that respond, and talking with their owners.
Please report back to NANOG after talking to them letting us know if the =
owners were still using SunOS 4.x boxes for some reason, had =
accidentally enabled chargen, or if some malware had set up the servers. =
Inquiring minds would like to know!
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--Apple-Mail=_3F163F03-8ED9-4AA7-9D25-97E000769F87
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
iQIVAwUBUbd2zbN3O8aJIdTMAQKtLRAAltj3RtDTcmoPbtWRoDAUIL8uoW0FO6wA
Mhl3ghVqNr/OqX3mb/6JxtGEHBkNgtPf0KBMBk4wNuRMsD2osow6QKvT23eQb9FR
zW/LHqlmtHBCWHQSoZdzh4Y4lZk393OI2oOZwF4DoZwhoyrA3IzU/dnr8mT10QKy
+6c6G/E1ssf8Uimkj6UHi2/ymNENf3fLMtg46LA9Z7yyyBOM4XUzi8R9/IXBrSIG
XpEdia5d93dxADT1e2LA3738uy9S+Y3DQgtNYZWrYv+rcHTt1FQdrile5rac9Xug
7rrPakeG6+pr2CEKzIJ0gsQXTuwZmY0YukuvRoe6z+2qdRVf3wJe8qpufp6n23wh
x3Enju0cD1g0uju7afjgsqwJ2j/jumj7Jy0+yLCJuSC3ozO0T9zsvmZWO/V3H4PP
ysF//I/u48hj6w1+dT8HFLaXlzEfUWvD8/qItbgHwg6sVXUhAjb4IkCZzKJFQvla
dIzidUg4j53Ch+sEC3k3zqxLdSwX2QFunJLCZn0NSyhahCw/6UREFdPd4HUGbdBc
SInXOn6BL8fGTYsBZVMcEN6GwJMiygQaIG5CcEWwWrqZbzmmO4ZkuE1evuSp4zc9
tljyxBJWh5x1MkVUUs3IiFPUCPWvfLHLHDkLs3ZDCemqHbRENr7LHbX/7ebMJoVx
3wIgU6dJJzI=
=SSk0
-----END PGP SIGNATURE-----
--Apple-Mail=_3F163F03-8ED9-4AA7-9D25-97E000769F87--
