Re: chargen is the new DDoS tool?

[Brielle Bruns <bruns () 2mbit com>]

On 6/11/13 9:39 AM, Bernhard Schmidt wrote:
> Heya everyone,
>
> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
>
> http://en.wikipedia.org/wiki/Character_Generator_Protocol
>
> | In the UDP implementation of the protocol, the server sends a UDP
> | datagram containing a random number (between 0 and 512) of characters
> | every time it receives a datagram from the connecting host. Any data
> | received by the server is discarded.
>
> We are seeing up to 1500 bytes of response though.
>
> This seems to be something new. There aren't a lot of systems in our
> network responding to chargen, but those that do have a 15x
> amplification factor and generate more traffic than we have seen with
> abused open resolvers.
>
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these days? Fortunately I can't, so we're going to drop
> 19/udp at the border within the next hours.


*checks her calendar*  I for a second worried I might have woken up from 
a 20 year long dream....


Are these like machines time forgot or just really bag configuration 
choices?


--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org    /     http://www.ahbl.org