We got hit with this in September. UDP/19 became our most busiest port overnight. Most of the systems participating were printers. We dropped it at the border, and had no complaints or ill effects.
—-Vlad Grigorescu Carnegie Mellon University On Jun 11, 2013, at 11:39 AM, Bernhard Schmidt <[email protected]> wrote: > Heya everyone, > > we have been getting reports lately about unsecured UDP chargen servers > in our network being abused for reflection attacks with spoofed sources > > http://en.wikipedia.org/wiki/Character_Generator_Protocol > > | In the UDP implementation of the protocol, the server sends a UDP > | datagram containing a random number (between 0 and 512) of characters > | every time it receives a datagram from the connecting host. Any data > | received by the server is discarded. > > We are seeing up to 1500 bytes of response though. > > This seems to be something new. There aren't a lot of systems in our > network responding to chargen, but those that do have a 15x > amplification factor and generate more traffic than we have seen with > abused open resolvers. > > Anyone else seeing that? Anyone who can think of a legitimate use of > chargen/udp these days? Fortunately I can't, so we're going to drop > 19/udp at the border within the next hours. > > Regards, > Bernhard
