On 6/11/13 9:39 AM, Bernhard Schmidt wrote:
Heya everyone,
we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources
http://en.wikipedia.org/wiki/Character_Generator_Protocol
| In the UDP implementation of the protocol, the server sends a UDP | datagram containing a random number (between 0 and 512) of characters | every time it receives a datagram from the connecting host. Any data | received by the server is discarded.
We are seeing up to 1500 bytes of response though.
This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers.
Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours.
*checks her calendar* I for a second worried I might have woken up from a 20 year long dream.... Are these like machines time forgot or just really bag configuration choices? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org