I can just see someone spoofing a packet from victimA port 7/UDP to victimB port 19/UDP. --Dave -----Original Message----- From: Leo Bicknell [mailto:bicknell@ufp.org] Sent: Tuesday, June 11, 2013 3:13 PM To: Bernhard Schmidt Cc: nanog@nanog.org Subject: Re: chargen is the new DDoS tool? On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt <berni@birkenwald.de> wrote:
This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers.
The number is non-zero? In 2013? While blocking it at your border is probably a fine way of mitigating the problem, I would recommend doing an internal nmap scan for such things, finding the systems that respond, and talking with their owners. Please report back to NANOG after talking to them letting us know if the owners were still using SunOS 4.x boxes for some reason, had accidentally enabled chargen, or if some malware had set up the servers. Inquiring minds would like to know! -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/