Re: chargen is the new DDoS tool?

[Jimmy Hess <mysidia () gmail com>]

On 6/11/13, Majdi S. Abbas <msa () latt net> wrote:
> On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
> > All of the above plus very poorly managed network / network
> > security. (sadly a Given(tm) for anything ending dot-e-d-u.)  a) why
> > are *printers* given public IPs? and b) why are internet hosts
> > allowed to talk to them?  I actually *very* surprised your printers
> > are still functional if the whole internet can reach them.

Who really has a solid motive to make them stop working (other than a
printer manufacturer who wants to sell them more) ?


>       Guess what, they have /16s, they use them, and they like
> the ability to print from one side of campus to the other.  Are you
> suggesting gigantic NATs with 120,000 students and faculty behind them?

A per-building NAT would work,  with static translations for printers
in that building, and an ACL with an allow list including IPsec
traffic to the printer from the campus'  IP range.

They don't have to use NAT though to avoid unnecessary exposure of
services on internal equipment to the larger world.


>       I have a hard time blaming a school for this.  I have an easy
> time wondering why printer manufacturers are including chargen support
> in firmware.

They probably built their printer on top of a general purpose or
embedded OS they purchased from someone else, or reused,  that
included an IP stack -- as well as other features that were
unnecessary for their use case.

Or the chargen tool may have been used during stress tests to verify
proper networking, and that the IP stack processed bits without
corrupting them;  with the manufacturer forgetting/neglecting to turn
off the unnecessary feature, forgetting to remove/disable that bit of
software, or seeing no need to,  before mass producing.


>       --msa
-- 
-JH