On Tue, Jun 11, 2013 at 8:39 AM, Bernhard Schmidt <berni@birkenwald.de>wrote:
we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources
Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours.
FWIW, last August we noticed 2.5Gbps of chargen being reflected off ~160 IPs (with large responses in violation of the RFC). As I recall, some quick investigation indicated it was mostly printers. I notified several of the worst offenders (rated by bandwidth). While I think it's silly to be exposing chargen to the world (especially as a default service in a printer!), the real problem here is networks that allow spoofed traffic onto the public internet. In the rare cases we see spoofed traffic I put special effort into tracing them to their source, and then following up to educate those providers about egress filtering. I'd appreciate it if others did the same. Damian