Brielle Bruns <bruns@2mbit.com> wrote: Hey,
we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources
http://en.wikipedia.org/wiki/Character_Generator_Protocol
| In the UDP implementation of the protocol, the server sends a UDP | datagram containing a random number (between 0 and 512) of characters | every time it receives a datagram from the connecting host. Any data | received by the server is discarded.
We are seeing up to 1500 bytes of response though.
This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers.
Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours.
*checks her calendar* I for a second worried I might have woken up from a 20 year long dream....
Are these like machines time forgot or just really bag configuration choices?
Not sure. The affected IPs are strongly clustered around the Faculty of Medicine, so from experience I would assume stone-old boxes. But not sure yet. Bernhard