Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A Chargen-based DDoS? Chargen is still a thing? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Chargen-based DDoS? Chargen is still a thing?

In the recent few days there was another denial of service attack launched at financial organizations. (Yeah, I know, DDoS on a bank, that's *totally* never happens). What is newsworthy isn't that it happened, it was the means used to execute the attack. Specifically, the organizations were flooded with UDP port 19 traffic which is the chargen protocol. I am not sure I've ever seen a legitimate use of this protocol or encountered a machine that had it on intentionally before.

For review, chargen is basically a character generation protocol that listens on port 19 with TCP or UDP.  If you connect to TCP, it continues to stream random characters until you close the connection. With UDP, it will respond with an up to 512 byte response depending on the request.  In this particular case, it was another amplification attack using UDP.  What makes chargen under UDP so desirable is that you can spoof sources without having to worry about establishing a fake connection and that it responds with packets much larger than the request. In short, if your networks are exposing a service that responds to UDP with packets much larger than the request (DNS in particular is popular these days), take due care that you are doing rate-limiting if those protocols are Internet-accessible.

It's not a common attack using chargen and there is some evidence that in a few of the cases in the past few years the attack was used as a smoke screen to hide other attack traffic.

In this case, many of the devices used were commodity multifunction copiers and the like. Which leads to two questions:

1) Why are these Internet accessible?
2) Why did the vendor enable this protocol by default? (or possible some malicious individual enabled it)

So your takeaways are two-fold:

- Check to make sure you don't have Internet-accessible devices that don't need to be (and if they need to be, you are regulating UDP requests).
- Make sure you are doing some form of BCP 38 where you filter outbound traffic to ensure that no packets leave your network that don't have internal addresses. Amplification attacks rely on spoofed packets and if every provider implemented this filtering, we would see these attacks greatly diminish overnight.

And don't forget old and dead protocols, sometimes they're still around. :)

John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting


262 Posts
ISC Handler
Apr 21st 2013
Excellent suggestion ... outbound filtering to known netblocks. A follow-on suggestion, for enterprises, would be to consider inbound filtering (i.e. the old choke router concept). Constrain inbound conversations to those ports for which you permit services. Chargen would likely not be on my list.

6 Posts
Chargen is easy to implement by accident on network gear - on cisco routers for instance it's implemented by "service tcp-small-services", which also enables the echo, discard and daytime services. "service udp-small-services" is the udp related command.

On Windows, it's common to see this service open when folks install "Simple TCP/IP Services" as part of their server build.
Rob VandenBrink

579 Posts
ISC Handler
Does it make sense to validate packet sources? Are there protocols for that?

1 Posts

Sign Up for Free or Log In to start participating in the conversation!