In the recent few days there was another denial of service attack launched at financial organizations. (Yeah, I know, DDoS on a bank, that's *totally* never happens). What is newsworthy isn't that it happened, it was the means used to execute the attack. Specifically, the organizations were flooded with UDP port 19 traffic which is the chargen protocol. I am not sure I've ever seen a legitimate use of this protocol or encountered a machine that had it on intentionally before. For review, chargen is basically a character generation protocol that listens on port 19 with TCP or UDP. If you connect to TCP, it continues to stream random characters until you close the connection. With UDP, it will respond with an up to 512 byte response depending on the request. In this particular case, it was another amplification attack using UDP. What makes chargen under UDP so desirable is that you can spoof sources without having to worry about establishing a fake connection and that it responds with packets much larger than the request. In short, if your networks are exposing a service that responds to UDP with packets much larger than the request (DNS in particular is popular these days), take due care that you are doing rate-limiting if those protocols are Internet-accessible. It's not a common attack using chargen and there is some evidence that in a few of the cases in the past few years the attack was used as a smoke screen to hide other attack traffic. In this case, many of the devices used were commodity multifunction copiers and the like. Which leads to two questions:
1) Why are these Internet accessible? So your takeaways are two-fold:
- Check to make sure you don't have Internet-accessible devices that don't need to be (and if they need to be, you are regulating UDP requests). And don't forget old and dead protocols, sometimes they're still around. :)
-- |
John 262 Posts ISC Handler Apr 21st 2013 |
Thread locked Subscribe |
Apr 21st 2013 9 years ago |
Excellent suggestion ... outbound filtering to known netblocks. A follow-on suggestion, for enterprises, would be to consider inbound filtering (i.e. the old choke router concept). Constrain inbound conversations to those ports for which you permit services. Chargen would likely not be on my list.
|
VB33 6 Posts |
Quote |
Apr 22nd 2013 9 years ago |
Chargen is easy to implement by accident on network gear - on cisco routers for instance it's implemented by "service tcp-small-services", which also enables the echo, discard and daytime services. "service udp-small-services" is the udp related command.
On Windows, it's common to see this service open when folks install "Simple TCP/IP Services" as part of their server build. |
Rob VandenBrink 578 Posts ISC Handler |
Quote |
Apr 22nd 2013 9 years ago |
Does it make sense to validate packet sources? Are there protocols for that?
|
eelgheez 1 Posts |
Quote |
Nov 11th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!