[163573] in North American Network Operators' Group
Re: chargen is the new DDoS tool?
daemon@ATHENA.MIT.EDU (Damian Menscher)
Wed Jun 12 02:26:50 2013
In-Reply-To: <kp7gbj$it9$1@ger.gmane.org>
From: Damian Menscher <damian@google.com>
Date: Tue, 11 Jun 2013 23:26:02 -0700
To: Bernhard Schmidt <berni@birkenwald.de>
Cc: NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jun 11, 2013 at 8:39 AM, Bernhard Schmidt <berni@birkenwald.de>wrote:
> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
>
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these days? Fortunately I can't, so we're going to drop
> 19/udp at the border within the next hours.
>
FWIW, last August we noticed 2.5Gbps of chargen being reflected off ~160
IPs (with large responses in violation of the RFC). As I recall, some
quick investigation indicated it was mostly printers. I notified several
of the worst offenders (rated by bandwidth).
While I think it's silly to be exposing chargen to the world (especially as
a default service in a printer!), the real problem here is networks that
allow spoofed traffic onto the public internet. In the rare cases we see
spoofed traffic I put special effort into tracing them to their source, and
then following up to educate those providers about egress filtering. I'd
appreciate it if others did the same.
Damian
