[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

chargen is the new DDoS tool?

Subject: chargen is the new DDoS tool?
From: damian at google.com (Damian Menscher)
Date: Tue, 11 Jun 2013 23:26:02 -0700
In-reply-to: <[email protected]>
References: <[email protected]>

On Tue, Jun 11, 2013 at 8:39 AM, Bernhard Schmidt <berni at birkenwald.de>wrote:

> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
>
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these days? Fortunately I can't, so we're going to drop
> 19/udp at the border within the next hours.
>

FWIW, last August we noticed 2.5Gbps of chargen being reflected off ~160
IPs (with large responses in violation of the RFC).  As I recall, some
quick investigation indicated it was mostly printers.  I notified several
of the worst offenders (rated by bandwidth).

While I think it's silly to be exposing chargen to the world (especially as
a default service in a printer!), the real problem here is networks that
allow spoofed traffic onto the public internet.  In the rare cases we see
spoofed traffic I put special effort into tracing them to their source, and
then following up to educate those providers about egress filtering.  I'd
appreciate it if others did the same.

Damian

References:
- chargen is the new DDoS tool?
  - From: berni at birkenwald.de (Bernhard Schmidt)

Prev by Date: Any Level 3 / GBLX things going on tonight?
Next by Date: chargen is the new DDoS tool?
Previous by thread: chargen is the new DDoS tool?
Next by thread: chargen is the new DDoS tool?
Index(es):
- Date
- Thread