Heya everyone, we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources http://en.wikipedia.org/wiki/Character_Generator_Protocol | In the UDP implementation of the protocol, the server sends a UDP | datagram containing a random number (between 0 and 512) of characters | every time it receives a datagram from the connecting host. Any data | received by the server is discarded. We are seeing up to 1500 bytes of response though. This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers. Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours. Regards, Bernhard
We got hit with this in September. UDP/19 became our most busiest port overnight. Most of the systems participating were printers. We dropped it at the border, and had no complaints or ill effects. —-Vlad Grigorescu Carnegie Mellon University On Jun 11, 2013, at 11:39 AM, Bernhard Schmidt <berni@birkenwald.de> wrote:
Heya everyone,
we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources
http://en.wikipedia.org/wiki/Character_Generator_Protocol
| In the UDP implementation of the protocol, the server sends a UDP | datagram containing a random number (between 0 and 512) of characters | every time it receives a datagram from the connecting host. Any data | received by the server is discarded.
We are seeing up to 1500 bytes of response though.
This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers.
Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours.
Regards, Bernhard
On Tue, 11 Jun 2013, Vlad Grigorescu wrote:
We got hit with this in September. UDP/19 became our most busiest port overnight. Most of the systems participating were printers. We dropped it at the border, and had no complaints or ill effects.
Dropping the TCP and UDP "small services" like echo (not ICMP echo), chargen and discard as part of default firewall / filter policies probably isn't a bad idea. Those services used to be enabled by default on Cisco routers, but that hasn't been since probably around 11.3 (mid-late 90s). Other than providing another DDoS vector, I'm not aware of any legitimate reason to keep these services running and accessible. As always, YMMV. jms
On 6/11/13, Justin M. Streiner <streiner@cluebyfour.org> wrote:
Other than providing another DDoS vector, I'm not aware of any legitimate reason to keep these services running and accessible. As always, YMMV.
They are useful for troubleshooting and diagnostic purposes. Just be sure to limit the maximum possible response rate and bandwidth for any source network, and be sure to truncate the length of the response to the length of the original query, so they cannot be used for amplification. If you can't do that, then shut them off :) The risk that they be used to DoS the server that runs those services remains.
jms -- -JH
On 6/11/13 9:39 AM, Bernhard Schmidt wrote:
Heya everyone,
we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources
http://en.wikipedia.org/wiki/Character_Generator_Protocol
| In the UDP implementation of the protocol, the server sends a UDP | datagram containing a random number (between 0 and 512) of characters | every time it receives a datagram from the connecting host. Any data | received by the server is discarded.
We are seeing up to 1500 bytes of response though.
This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers.
Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours.
*checks her calendar* I for a second worried I might have woken up from a 20 year long dream.... Are these like machines time forgot or just really bag configuration choices? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Brielle Bruns <bruns@2mbit.com> wrote: Hey,
we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources
http://en.wikipedia.org/wiki/Character_Generator_Protocol
| In the UDP implementation of the protocol, the server sends a UDP | datagram containing a random number (between 0 and 512) of characters | every time it receives a datagram from the connecting host. Any data | received by the server is discarded.
We are seeing up to 1500 bytes of response though.
This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers.
Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours.
*checks her calendar* I for a second worried I might have woken up from a 20 year long dream....
Are these like machines time forgot or just really bag configuration choices?
Not sure. The affected IPs are strongly clustered around the Faculty of Medicine, so from experience I would assume stone-old boxes. But not sure yet. Bernhard
On Tue, 11 Jun 2013 12:06:36 -0400, Brielle Bruns <bruns@2mbit.com> wrote:
Are these like machines time forgot or just really bag configuration choices?
All of the above plus very poorly managed network / network security. (sadly a Given(tm) for anything ending dot-e-d-u.) a) why are *printers* given public IPs? and b) why are internet hosts allowed to talk to them? I actually *very* surprised your printers are still functional if the whole internet can reach them. Being an edu, even if they aren't globally reachable, there is *plenty* mischievousness already inside the borders! Securing a campus from the world... easy; securing a campus from it's own users... good luck with that. --Ricky
On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
All of the above plus very poorly managed network / network security. (sadly a Given(tm) for anything ending dot-e-d-u.) a) why are *printers* given public IPs? and b) why are internet hosts allowed to talk to them? I actually *very* surprised your printers are still functional if the whole internet can reach them.
You've never worked for one, have you? Guess what, they have /16s, they use them, and they like the ability to print from one side of campus to the other. Are you suggesting gigantic NATs with 120,000 students and faculty behind them? I have a hard time blaming a school for this. I have an easy time wondering why printer manufacturers are including chargen support in firmware. --msa
On Tue, Jun 11, 2013 at 4:57 PM, Majdi S. Abbas <msa@latt.net> wrote:
I have a hard time blaming a school for this. I have an easy time wondering why printer manufacturers are including chargen support in firmware.
Isn't that what printer do? Generate characters? It was in the design spec. /me thinks of PHB going down port list, "yep, need that one!" -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
On Tue, 11 Jun 2013 19:57:17 -0400, Majdi S. Abbas <msa@latt.net> wrote:
You've never worked for one, have you?
Indeed I have. Which is why I haven't for a great many years. Academics tend to be, well, academic. That is, rather far out of touch with the realities of running / securing a network. I've used the work "incompotent" in previous conversations, but that's mostly a factor of overwork in an environment where few people are ever fired for such.
Guess what, they have /16s, they use them, and they like the ability to print from one side of campus to the other. Are you suggesting gigantic NATs with 120,000 students and faculty behind them?
Guess what, there are companies that have /8's, and they manage to keep their network(s) reasonably secured. I'm not talking about uber-large NAT; I'm talking about proper boundry security. If you cannot figure out how to keep the internet away from your printers, you should look into other lines of employment. Limiting access of the residential network into the departmental networks, is one of the first things in the design of a res-net. Otherwise, there's 25k potential script kiddies (or infected home computers now on your network) waiting to attack everything on campus. But we're headed into the weeds here...
I have a hard time blaming a school for this. I have an easy time wondering why printer manufacturers are including chargen support in firmware.
I have the same bewilderment about people allowing such unsolicited traffic into their network(s) in the first place. Even with IPv6 (where there's no NAT forcing the issue), I run a default deny policy... if nothing asked for it, it doesn't get in. Also, why the hell aren't providers not doing anything to limit spoofing?!? I'll staring right at you AT&T (former Bellsouth.) --Ricky
On Tue, 11 Jun 2013 21:37:04 -0400, "Ricky Beam" said:
Indeed I have. Which is why I haven't for a great many years. Academics tend to be, well, academic. That is, rather far out of touch with the realities of running / securing a network.
Do you have any actual evidence that a .edu of (say) 2K employees is statistically *measurably* less secure than a .com of 2K employees? We keep hearing that meme - and yet, looking at the archives of this list, I see a lot more stories of network providers who should know better doing stupid stuff than I see of .edu's doing stupid stuff. The Verizon report says small business is actually the biggest cesspit of abuse: http://money.cnn.com/2013/04/22/smallbusiness/small-business-cybercrime/inde... http://www.verizonenterprise.com/DBIR/2013/ ~100 employee firms in health care appear to be a particular lost cause.
On Tue, 11 Jun 2013 22:55:12 -0400, <Valdis.Kletnieks@vt.edu> wrote:
Do you have any actual evidence that a .edu of (say) 2K employees is statistically *measurably* less secure than a .com of 2K employees?
We're sorta lookin' at one now. :-) But seriously, how do you measure one's security? The scope is constantly changing. While there are companies one can pay to do this, those reports are *very* rarely published. And I've not heard of a single edu performing such an audit. The only statistics we have to run with are of *known* breaches. And that's a very bad metric as a company with no security at all that's had no (reported) intrusions appears to have very good security, while a company with extensive security looks very bad after a few breaches. One has noone sniffing around at all, while the other has teams going at it with pick-axes. One likely has noone in charge of security, while the other has an entire security department.
This is basically untrue. I can deal with a good rant as long as there's some value in it. As it is (I'm sorta sorry) I picked this apart. On Jun 12, 2013 12:04 AM, "Ricky Beam" <jfbeam@gmail.com> wrote:
On Tue, 11 Jun 2013 22:55:12 -0400, <Valdis.Kletnieks@vt.edu> wrote:
But seriously, how do you measure one's security?
Banks and insurance companies supposedly have some interesting actuarial data on this.
The scope is constantly changing.
Not really. The old tricks are the best tricks. And when a default install of Windows still allows you to request old NTLM authentication and most people don't think twice about this, there's a problem.
While there are companies one can pay to do this, those reports are *very* rarely published.
It seems you are referring to two things - exploit writing vs pen testing. While I hate saying this, there are automated tools that could clean up most networks for a few K (they can also take down things if you aren't careful so I'm not saying spend 2k and forget about it). Basically, not everyone needs to pay for a professional test out of the gate - fix the easily found stuff and then consider next steps. As for exploit writing, you can pay for this and have an 0day for between $10 and $50k (AFAIK - not what I do with my time / money) but while you've got stuff with known issues on the net that any scanner can find, thinking someone is going to think about using an 0day to break into your stuff is a comical wet dream.
And I've not heard of a single edu performing such an audit.
And you won't. I'm not going to tell you about past problems with my stuff because even after I think I've fixed everything, maybe I missed something that you can now easily find with the information I've disclosed. There are information sharing agreements between entities generally in the same industry (maybe even some group like this for edu?). But this will help with source and signatures, if your network is like a sieve, fix that first :)
The only statistics we have to run with are of *known* breaches.
As I indicated above, 0days are expensive and no one is going to waste one on you. Put another way, if someone does, go home proud - you're in with the big boys (military, power plants, spy agencies) someone paid top dollar for your stuff because you had everything else closed.
And that's a very bad metric as a company with no security at all that's had no (reported) intrusions appears to have very good security, while a company with extensive security looks very bad after a few breaches.
I'll take that metric any day :) Most companies only release a break in if they leak customer data. The only recent example I can think of where this wasn't true was the Canadian company that develops SCATA software disclosing that China stole their stuff. Second, if you look at the stocks of public companies that were hacked a year later, they're always up. The exception to this is HBGary who pissed of anonymous and are no longer in business (they had shady practices that were disclosed by the hack - don't do this).
One has noone sniffing around at all, while the other has teams going at it with pick-axes.
If you have no one sniffing around, you've got issues.
One likely has noone in charge of security, while the other has an entire security department.
Whether you have a CSO in name or not might not matter. Depending on the size of the organization (and politics), a CTO that understands security can do just as much.
On 6/12/13, shawn wilson <ag4ve.us@gmail.com> wrote:
This is basically untrue. I can deal with a good rant as long as there's some value in it. As it is (I'm sorta sorry) I picked this apart. On Jun 12, 2013 12:04 AM, "Ricky Beam" <jfbeam@gmail.com> wrote:
On Tue, 11 Jun 2013 22:55:12 -0400, <Valdis.Kletnieks@vt.edu> wrote:
>> >
But seriously, how do you measure one's security? Banks and insurance companies supposedly have some interesting actuarial data on this.
The scope is constantly changing. Not really. The old tricks are the best tricks. And when a default install By best, you must mean effective against the greatest number of targets.
of Windows still allows you to request old NTLM authentication and most people don't think twice about this, there's a problem.
Backwards compatibility and protocol downgrade-ability is a PITA.
It seems you are referring to two things - exploit writing vs pen testing. While I hate saying this, there are automated tools that could clean up most networks for a few K (they can also take down things if you aren't careful so I'm not saying spend 2k and forget about it). Basically, not
For the orgs that the 2K tool is likely to be most useful for, $2k is a lot of cash. The scan tools that are really worth the trouble start around 5K, and people don't like making much investment in security products, until they know they have a known breach on their hands. Many are likely to forego both, purchase the cheapest firewall appliance they can find, that claims to have antivirus functionality, maybe some stateful TCP filtering, and Web policy enforcement to restrict surfing activity; and feel safe, "the firewall protects us", no other security planning or products or services req'd.
As I indicated above, 0days are expensive and no one is going to waste one on you. Put another way, if someone does, go home proud - you're in with [snip]
I would call this wishful thinking; 0days are expensive, so the people who want to use them, will want to get the most value they can get out of the 0day, before the bug gets fixed. That means both small numbers of high value targets, and, then... large numbers of lesser value targets. If you have a computer connected to the internet, some bandwidth, and a web browser or e-mail address, you are a probable target. If a 0day is used against you, it's most likely to be used against your web browser visiting a "trusted" site you normally visit. The baddies can help protect their investment in 0day exploit code, by making sure that by the time you detect it, the exploit code is long gone, so the infection vector will be unknown. -- -JH
On Wed, Jun 12, 2013 at 4:51 AM, Jimmy Hess <mysidia@gmail.com> wrote:
On 6/12/13, shawn wilson <ag4ve.us@gmail.com> wrote:
The scope is constantly changing. Not really. The old tricks are the best tricks. And when a default install By best, you must mean effective against the greatest number of targets.
By best, I mean effective - end of story.
of Windows still allows you to request old NTLM authentication and most people don't think twice about this, there's a problem.
Backwards compatibility and protocol downgrade-ability is a PITA.
Yes, telling people that NT/2k can't be on your network might be a PITA, but not using software or hardware that has gone EOL is sometimes just a sensible business practice.
It seems you are referring to two things - exploit writing vs pen testing. While I hate saying this, there are automated tools that could clean up most networks for a few K (they can also take down things if you aren't careful so I'm not saying spend 2k and forget about it). Basically, not
For the orgs that the 2K tool is likely to be most useful for, $2k is a lot of cash. The scan tools that are really worth the trouble start around 5K, and people don't like making much investment in security products, until they know they have a known breach on their hands. Many are likely to forego both, purchase the cheapest firewall appliance they can find, that claims to have antivirus functionality, maybe some stateful TCP filtering, and Web policy enforcement to restrict surfing activity; and feel safe, "the firewall protects us", no other security planning or products or services req'd.
I don't really care to price stuff so I might be a little off here (most of this stuff has free components). Nessus starts at around $1k, Armitage is about the same (but no auto-pown, darn), Metasploit Pro is a few grand. My point being, you can have a decent scanner (Nessus) catching the really bad stuff for not much money (I dislike this line of thought, but if you aren't knowledgeable to use tools and just want a report for a grand, there you go).
As I indicated above, 0days are expensive and no one is going to waste one on you. Put another way, if someone does, go home proud - you're in with [snip]
I would call this wishful thinking; 0days are expensive, so the people who want to use them, will want to get the most value they can get out of the 0day, before the bug gets fixed.
Odays are expensive, so when you see them, someone (Google, Firefox, Adobe, etc) have generally paid for them. Once you see them, they are not odays (dispite what people like to call recently disclosed public vulns - it ain't an 0day).
That means both small numbers of high value targets, and, then... large numbers of lesser value targets. If you have a computer connected to the internet, some bandwidth, and a web browser or e-mail address, you are a probable target.
No, this means Stuxnet, Doqu, Flame. This means, I spent a million on people pounding on stuff for a year, I'm going to take out a nuclear facility or go after Google or RSA. I want things more valuable than your student's social security numbers.
If a 0day is used against you, it's most likely to be used against your web browser visiting a "trusted" site you normally visit.
I don't have anything to back this up off hand, but my gut tells me that most drive by web site malware isn't that well thought out.
The baddies can help protect their investment in 0day exploit code, by making sure that by the time you detect it, the exploit code is long gone, so the infection vector will be unknown.
If the US government can't prevent companies from analyzing their work, do you really think random "baddies" can? Seriously?... No really, seriously? Here's the point, once you use an Oday, it is not an 0day. It's burnt. It might still work on some people, but chances are all your high value targets know about it and it won't work on them.
On Wed, Jun 12, 2013 at 7:14 AM, Aaron Glenn <aaron.glenn@gmail.com> wrote:
On Wed, Jun 12, 2013 at 11:17 AM, shawn wilson <ag4ve.us@gmail.com> wrote:
Banks and insurance companies supposedly have some interesting actuarial data on this.
Do you know of any publicly available sources?
I don't. There's a US entity that represents credit card companies that has their own type of "Verizon Data Breach Investigations Report" where you might find some iinfo of this type. You might also look at how/if AlienVault and others rank threats which should give you the "how hard is this hack" and "how hard is this to fix" figure. The theory behind generating this type of actuarial data should be more available than it is. I have a feeling that companies who have this information look at entities in the same type of business and make educated guesses on how breaches affected their bottom line based on stock vaule and the like. There is probably some private data sharing here as well.
I'm going to bypass the academic vs. non-academic security argument because I've worked everywhere, and from a security viewpoint, there is plenty of fail to go around. On Tue, Jun 11, 2013 at 09:37:04PM -0400, Ricky Beam wrote:
I run a default deny policy... if nothing asked for it, it doesn't get in.
This is a fine thing and good thing. But as you've expressed it here, it's incomplete, because of that last clause: "it doesn't get in". For default-deny to be effective, it has to be bidirectional. Please don't tell me it can't be done. I've done it. Repeatedly. It's a LOT of work. (Although progess in toolsets keeps making it easier.) But it's also essential, since your responsibility is not just to defend your operation from the Internet, but to defend the Internet from your operation. ---rsk
On 6/11/13, Majdi S. Abbas <msa@latt.net> wrote:
On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
All of the above plus very poorly managed network / network security. (sadly a Given(tm) for anything ending dot-e-d-u.) a) why are *printers* given public IPs? and b) why are internet hosts allowed to talk to them? I actually *very* surprised your printers are still functional if the whole internet can reach them.
Who really has a solid motive to make them stop working (other than a printer manufacturer who wants to sell them more) ?
Guess what, they have /16s, they use them, and they like the ability to print from one side of campus to the other. Are you suggesting gigantic NATs with 120,000 students and faculty behind them?
A per-building NAT would work, with static translations for printers in that building, and an ACL with an allow list including IPsec traffic to the printer from the campus' IP range. They don't have to use NAT though to avoid unnecessary exposure of services on internal equipment to the larger world.
I have a hard time blaming a school for this. I have an easy time wondering why printer manufacturers are including chargen support in firmware.
They probably built their printer on top of a general purpose or embedded OS they purchased from someone else, or reused, that included an IP stack -- as well as other features that were unnecessary for their use case. Or the chargen tool may have been used during stress tests to verify proper networking, and that the IP stack processed bits without corrupting them; with the manufacturer forgetting/neglecting to turn off the unnecessary feature, forgetting to remove/disable that bit of software, or seeing no need to, before mass producing.
--msa -- -JH
On Tue, 11 Jun 2013 22:52:52 -0400, Jimmy Hess <mysidia@gmail.com> wrote:
Who really has a solid motive to make them stop working (other than a printer manufacturer who wants to sell them more) ?
Duh, so people cannot print to them. (amungst various other creative pranks) From a cybercriminal pov, to swipe the things you're printing... like that CC authorization form you just printed, or a confidential contract, etc. (also, in many offices, the printer is also the scanner and fax) --Ricky
Getting back to the topic. I just saw quite a few of our hosts scanned for this by 192.111.155.106 which doesn't say much on its own as http://dacentec.com/ is a hosting company. On Tue, Jun 11, 2013 at 11:27 PM, Ricky Beam <jfbeam@gmail.com> wrote:
On Tue, 11 Jun 2013 22:52:52 -0400, Jimmy Hess <mysidia@gmail.com> wrote:
Who really has a solid motive to make them stop working (other than a printer manufacturer who wants to sell them more) ?
Duh, so people cannot print to them. (amungst various other creative pranks)
From a cybercriminal pov, to swipe the things you're printing... like that CC authorization form you just printed, or a confidential contract, etc. (also, in many offices, the printer is also the scanner and fax)
--Ricky
On Tue, 11 Jun 2013 19:52:02 -0400 "Ricky Beam" <jfbeam@gmail.com> wrote:
All of the above plus very poorly managed network / network security. (sadly a Given(tm) for anything ending dot-e-d-u.)
That broad sweeping characterization, without any evidence, can be as casually dismissed without evidence. However, I will go on record, as I'm sure many others will as well, but in my experience the .edu community, particularly the medium to larger schools who have dedicated IT staff, are often amongst the best managed networks, with regards to security or otherwise. If there is any issue with that sector, you should contact the REN-ISAC, one of the most well executed security constituent groups I've ever seen. They tirelessly reach out and assist on most any educational related incident. John
Hmmm. Do you not run a default deny at your border, which would catch this sort of thing? Granted thats not always possible I suppose. Maybe block all UDP you dont specifically need? Do you have an ids/ips? If not, look at SecurityOnion on a SPAN port, it will provide great insight into whats happening. Generally these sort of legacy services are only used for malicious activity and will light up an ids/ips like a Christmas tree. They must be old boxes. I cant think of any recent os distributions which would even have these services listening, let alone installed. Bernhard Schmidt <berni@birkenwald.de> wrote:
Heya everyone,
we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources
http://en.wikipedia.org/wiki/Character_Generator_Protocol
| In the UDP implementation of the protocol, the server sends a UDP | datagram containing a random number (between 0 and 512) of characters | every time it receives a datagram from the connecting host. Any data | received by the server is discarded.
We are seeing up to 1500 bytes of response though.
This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers.
Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours.
Regards, Bernhard
-- Charles Wyble charles@knownelement.com / 818 280 7059 CTO Free Network Foundation (www.thefnf.org)
On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt <berni@birkenwald.de> wrote:
This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers.
The number is non-zero? In 2013? While blocking it at your border is probably a fine way of mitigating the problem, I would recommend doing an internal nmap scan for such things, finding the systems that respond, and talking with their owners. Please report back to NANOG after talking to them letting us know if the owners were still using SunOS 4.x boxes for some reason, had accidentally enabled chargen, or if some malware had set up the servers. Inquiring minds would like to know! -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
I can just see someone spoofing a packet from victimA port 7/UDP to victimB port 19/UDP. --Dave -----Original Message----- From: Leo Bicknell [mailto:bicknell@ufp.org] Sent: Tuesday, June 11, 2013 3:13 PM To: Bernhard Schmidt Cc: nanog@nanog.org Subject: Re: chargen is the new DDoS tool? On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt <berni@birkenwald.de> wrote:
This seems to be something new. There aren't a lot of systems in our network responding to chargen, but those that do have a 15x amplification factor and generate more traffic than we have seen with abused open resolvers.
The number is non-zero? In 2013? While blocking it at your border is probably a fine way of mitigating the problem, I would recommend doing an internal nmap scan for such things, finding the systems that respond, and talking with their owners. Please report back to NANOG after talking to them letting us know if the owners were still using SunOS 4.x boxes for some reason, had accidentally enabled chargen, or if some malware had set up the servers. Inquiring minds would like to know! -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
On Tue, 11 Jun 2013 15:38:45 -0400, "David Edelman" said:
I can just see someone spoofing a packet from victimA port 7/UDP to victimB port 19/UDP.
For a while, it was possible to spoof packets to create a TCP connection from a machine's chargen port to its own discard port and walk away while it burned to the ground. Fun times.
On Jun 12, 2013, at 2:13 AM, Leo Bicknell wrote:
The number is non-zero? In 2013?
These are largely modern printers and other 'embedded' devices which are running OS configurations apparently cribbed out of 20-year-old gopher docs. ;> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
On Tue, Jun 11, 2013 at 8:39 AM, Bernhard Schmidt <berni@birkenwald.de>wrote:
we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources
Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours.
FWIW, last August we noticed 2.5Gbps of chargen being reflected off ~160 IPs (with large responses in violation of the RFC). As I recall, some quick investigation indicated it was mostly printers. I notified several of the worst offenders (rated by bandwidth). While I think it's silly to be exposing chargen to the world (especially as a default service in a printer!), the real problem here is networks that allow spoofed traffic onto the public internet. In the rare cases we see spoofed traffic I put special effort into tracing them to their source, and then following up to educate those providers about egress filtering. I'd appreciate it if others did the same. Damian
participants (18)
-
Aaron Glenn -
Bernhard Schmidt -
Brielle Bruns -
Charles Wyble -
Damian Menscher -
David Edelman -
Dobbins, Roland -
Jimmy Hess -
Joe Hamelin -
John Kristoff -
Justin M. Streiner -
Leo Bicknell -
Majdi S. Abbas -
Rich Kulawiec -
Ricky Beam -
shawn wilson -
Valdis.Kletnieks@vt.edu -
Vlad Grigorescu