RE: chargen is the new DDoS tool?

["David Edelman" <dedelman () iname com>]

I can just see someone spoofing a packet from victimA port 7/UDP to victimB
port 19/UDP.  

--Dave


-----Original Message-----
From: Leo Bicknell [mailto:bicknell () ufp org] 
Sent: Tuesday, June 11, 2013 3:13 PM
To: Bernhard Schmidt
Cc: nanog () nanog org
Subject: Re: chargen is the new DDoS tool?


On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt <berni () birkenwald de> wrote:

> This seems to be something new. There aren't a lot of systems in our 
> network responding to chargen, but those that do have a 15x 
> amplification factor and generate more traffic than we have seen with 
> abused open resolvers.

The number is non-zero?  In 2013?

While blocking it at your border is probably a fine way of mitigating the
problem, I would recommend doing an internal nmap scan for such things,
finding the systems that respond, and talking with their owners.

Please report back to NANOG after talking to them letting us know if the
owners were still using SunOS 4.x boxes for some reason, had accidentally
enabled chargen, or if some malware had set up the servers.  Inquiring minds
would like to know!

-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/