[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

chargen is the new DDoS tool?

Subject: chargen is the new DDoS tool?
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Tue, 11 Jun 2013 14:55:18 -0400 (EDT)
In-reply-to: <1202BE242E080642B0CD0AD0A03E8552C88F17@PGH-MSGMB-03.andrew.ad.cmu.edu>
References: <[email protected]> <1202BE242E080642B0CD0AD0A03E8552C88F17@PGH-MSGMB-03.andrew.ad.cmu.edu>

On Tue, 11 Jun 2013, Vlad Grigorescu wrote:

> We got hit with this in September. UDP/19 became our most busiest port 
> overnight. Most of the systems participating were printers. We dropped 
> it at the border, and had no complaints or ill effects.

Dropping the TCP and UDP "small services" like echo (not ICMP echo), 
chargen and discard as part of default firewall / filter policies probably 
isn't a bad idea.  Those services used to be enabled by default on Cisco 
routers, but that hasn't been since probably around 11.3 (mid-late 90s).

Other than providing another DDoS vector, I'm not aware of any legitimate 
reason to keep these services running and accessible.  As always, YMMV.

jms

Follow-Ups:
- chargen is the new DDoS tool?
  - From: mysidia at gmail.com (Jimmy Hess)

References:
- chargen is the new DDoS tool?
  - From: berni at birkenwald.de (Bernhard Schmidt)
- chargen is the new DDoS tool?
  - From: vladg at cmu.edu (Vlad Grigorescu)

Prev by Date: chargen is the new DDoS tool?
Next by Date: chargen is the new DDoS tool?
Previous by thread: chargen is the new DDoS tool?
Next by thread: chargen is the new DDoS tool?
Index(es):
- Date
- Thread