Re: chargen is the new DDoS tool?

[Damian Menscher <damian () google com>]

On Tue, Jun 11, 2013 at 8:39 AM, Bernhard Schmidt <berni () birkenwald de>wrote:

> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
>
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these days? Fortunately I can't, so we're going to drop
> 19/udp at the border within the next hours.

FWIW, last August we noticed 2.5Gbps of chargen being reflected off ~160
IPs (with large responses in violation of the RFC).  As I recall, some
quick investigation indicated it was mostly printers.  I notified several
of the worst offenders (rated by bandwidth).

While I think it's silly to be exposing chargen to the world (especially as
a default service in a printer!), the real problem here is networks that
allow spoofed traffic onto the public internet.  In the rare cases we see
spoofed traffic I put special effort into tracing them to their source, and
then following up to educate those providers about egress filtering.  I'd
appreciate it if others did the same.

Damian