Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - A Chargen-based DDoS? Chargen is still a thing? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Chargen-based DDoS? Chargen is still a thing?

Published: 2013-04-21
Last Updated: 2013-04-21 17:17:06 UTC
by John Bambenek (Version: 1)
3 comment(s)

In the recent few days there was another denial of service attack launched at financial organizations. (Yeah, I know, DDoS on a bank, that's *totally* never happens). What is newsworthy isn't that it happened, it was the means used to execute the attack. Specifically, the organizations were flooded with UDP port 19 traffic which is the chargen protocol. I am not sure I've ever seen a legitimate use of this protocol or encountered a machine that had it on intentionally before.

For review, chargen is basically a character generation protocol that listens on port 19 with TCP or UDP.  If you connect to TCP, it continues to stream random characters until you close the connection. With UDP, it will respond with an up to 512 byte response depending on the request.  In this particular case, it was another amplification attack using UDP.  What makes chargen under UDP so desirable is that you can spoof sources without having to worry about establishing a fake connection and that it responds with packets much larger than the request. In short, if your networks are exposing a service that responds to UDP with packets much larger than the request (DNS in particular is popular these days), take due care that you are doing rate-limiting if those protocols are Internet-accessible.

It's not a common attack using chargen and there is some evidence that in a few of the cases in the past few years the attack was used as a smoke screen to hide other attack traffic.

In this case, many of the devices used were commodity multifunction copiers and the like. Which leads to two questions:

1) Why are these Internet accessible?
2) Why did the vendor enable this protocol by default? (or possible some malicious individual enabled it)

So your takeaways are two-fold:

- Check to make sure you don't have Internet-accessible devices that don't need to be (and if they need to be, you are regulating UDP requests).
- Make sure you are doing some form of BCP 38 where you filter outbound traffic to ensure that no packets leave your network that don't have internal addresses. Amplification attacks rely on spoofed packets and if every provider implemented this filtering, we would see these attacks greatly diminish overnight.

And don't forget old and dead protocols, sometimes they're still around. :)

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

3 comment(s)
Diary Archives