dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2618
share rss forum feed

DRIVE71

join:2005-06-08

Port 19 DDOS "Chargen"

We've been getting a massive DDOS the few days. Port 19 UDP. Mikrotik is calling it "Chargen". Anyone else seen this? We've had to call Level3 to have them blacklist the IP. It takes my routerboard 1100 and maxes it out. Last look there was 989Mb of traffic (Gig Port). All being dropped by the firewall. Of course it's targeting the 50 or so IP's that I have NATted so I don't know who is the target yet. I changed the NATted address and today they started hitting the new address.

Another day in paradise


Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2
I think this says it the best:

"Chargen is easy to implement by accident on network gear - on cisco routers for instance it's implemented by "service tcp-small-services", which also enables the echo, discard and daytime services. "service udp-small-services" is the udp related command.

On Windows, it's common to see this service open when folks install "Simple TCP/IP Services" as part of their server build.

source: »isc.sans.edu/forums/diary/A+Char···ng/15647

Its not that the service is running on Mikrotik, but historically it was a port easily targeted over the years for DDoS attacks, and perhaps the attacker has some nostalgia?

lol.
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca

DRIVE71

join:2005-06-08
reply to DRIVE71
I'm guessing one of my customers has pissed off the wrong guy. I'll update this thread as I go in case someone else can benefit from the info


Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2
Likely yup. I had a DDoS attack a whack of years ago about a year after I started my WISP (NO nat), that destroyed my entire downstream. at the time, it was a whopping 15 megabit and 10,000 pps.

They attacked a specific customer after he beat him in an xbox game.
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca

DRIVE71

join:2005-06-08
The funny thing is that's exactly what I suspect. I just got allocated another /24 from upstream. Gonna move all the Natted guys over to it. Hoping to find out what's going on.

devicenull
Premium
join:2002-12-01
Old Bridge, NJ
reply to DRIVE71
It's a *super* common attack. Easily within the top 3 of attacks that we see.

See if Level 3 can just ACL off the entire port for you. As far as I'm aware it has no legitimate use.


DaDawgs
Premium
join:2010-08-02
Deltaville, VA
reply to DRIVE71
That is a lot of traffic. Seems more like someone pissed of someone who had a bot farm maybe?

First thing is ensure that any traffic on that port is dumped on the input chain straight to drop.

You seem smart enough to know that but, had to say it anyway. If it was TCP I'd say tarpit it but... UDP different game.

straight to drop on input chain on any world facing port
--
Once we IPv6 enable every device on the Internet we will have toasters, baby monitors, and security cameras joining the bot nets which today are populated only by idiots that can not refrain from clicking, "Yes I would like to see those titties..."


TAZ

@qwest.net
said by DaDawgs:

That is a lot of traffic. Seems more like someone pissed of someone who had a bot farm maybe?

No, just some retarded 12 year old kid with "little man's syndrome" and access to mommy's credit card that went to hackforums and bought some POS booter.

This is really common in games. Xbox is especially bad because it's P2P, and trivial to obtain another client's IP address. (That's where these booters originated from - "boot someone off XBL.") Now, whoever at MS came up with the idea of charging $60/year to allow players to host their own games, needs to be shot, but that's a separate issue.

Amplification attacks are _really_ common now, and not just chargen. DNS is especially common and bad. SNMP can be used too.

You're lucky that L3 is willing to work with you on this. ACL dropping the chargen crap is a start (sounds like you've done that already). It wouldn't be a bad idea to dedicate a single IP for NATing outbound DNS queries, and have them ACL drop any inbound UDP from src port 53 on the other IPs. That will probably be the next attack (DNS amp).

The problem here is it costs $10 or less to do this, but for the target it tends to cost a ton more to mitigate it. Luckily for you, you've got a cooperative upstream and this is easy to drop, just a few ACL rules. (ACLs are implemented in the ASIC on carrier-grade equipment, so they can be done at wire-rate.)