[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

chargen is the new DDoS tool?

Subject: chargen is the new DDoS tool?
From: berni at birkenwald.de (Bernhard Schmidt)
Date: Tue, 11 Jun 2013 15:39:32 +0000 (UTC)

Heya everyone,

we have been getting reports lately about unsecured UDP chargen servers
in our network being abused for reflection attacks with spoofed sources

http://en.wikipedia.org/wiki/Character_Generator_Protocol

| In the UDP implementation of the protocol, the server sends a UDP
| datagram containing a random number (between 0 and 512) of characters
| every time it receives a datagram from the connecting host. Any data
| received by the server is discarded.

We are seeing up to 1500 bytes of response though.

This seems to be something new. There aren't a lot of systems in our
network responding to chargen, but those that do have a 15x
amplification factor and generate more traffic than we have seen with
abused open resolvers.

Anyone else seeing that? Anyone who can think of a legitimate use of
chargen/udp these days? Fortunately I can't, so we're going to drop
19/udp at the border within the next hours.

Regards,
Bernhard

Follow-Ups:
- chargen is the new DDoS tool?
  - From: vladg at cmu.edu (Vlad Grigorescu)
- chargen is the new DDoS tool?
  - From: bruns at 2mbit.com (Brielle Bruns)
- chargen is the new DDoS tool?
  - From: charles-lists at knownelement.com (Charles Wyble)
- chargen is the new DDoS tool?
  - From: bicknell at ufp.org (Leo Bicknell)
- chargen is the new DDoS tool?
  - From: damian at google.com (Damian Menscher)

Prev by Date: Call for Papers: RIPE 67
Next by Date: chargen is the new DDoS tool?
Previous by thread: Call for Papers: RIPE 67
Next by thread: chargen is the new DDoS tool?
Index(es):
- Date
- Thread