Check if network is allowing inbound UDP fragments

while looking for additional fragments with tcpump

tcpdump -i any -nnvvXS  '((ip[6:2] > 0) and (not ip[6] = 64))'

run a DNS query that produces a fragmented reply

dig ANY financialresearch.gov @208.67.222.222

Apple remote desktop DDoS reflection (UDP 3283)

Here comes just another volumetric DDoS reflected attack.

This time it’s from Apple Remote Desktop (UDP) protocol

The amplification rate looks quite good (35:1)

Apparently there are many hosts online to pick from

65,538 on Shodan right now, seems

https://www.shodan.io/search?query=port%3A3283

A lot of Macstadium host are actively being exploited apparently

If you have your Apple MAC in a DMZ or directly with public IP please properly secure port 3283

Searching online seems someone else is actually seeing this pattern.

Arbor (Netscout) has some more detailed infos published: https://www.netscout.com/blog/asert/call-arms-apple-remote-management-service-udp

LDAP reflected ddos

LDAP reflected ddos

tcpdump -nn -i em1 udp and port 389
 
15:35:36.667005 IP 75.99.0.158.389 > x.x.x.x.4829: UDP, length 2804
15:35:36.667065 IP 192.162.242.123.389 > x.x.x.x.45750: UDP, length 2993
15:35:36.667105 IP 210.3.1.38.389 > x.x.x.x.61703: UDP, length 2687
15:35:36.667260 IP 210.211.126.112.389 > x.x.x.x.61703: UDP, length 2591
15:35:36.667318 IP 88.198.78.124.389 > x.x.x.x.18313: UDP, length 2955
15:35:36.667407 IP 192.186.71.248.389 > x.x.x.x.45750: UDP, length 3088
15:35:36.667420 IP 193.158.199.220.389 > x.x.x.x.45750: UDP, length 2582
15:35:36.667453 IP 108.60.201.51.389 > x.x.x.x.27164: UDP, length 2969
15:35:36.667472 IP 211.144.154.13.389 > x.x.x.x.61703: UDP, length 2395
15:35:36.667551 IP 78.140.59.119.389 > x.x.x.x.4829: UDP, length 2368
15:35:36.667562 IP 197.231.192.44.389 > x.x.x.x.45750: UDP, length 2959
15:35:36.667575 IP 185.104.180.89.389 > x.x.x.x.29749: UDP, length 3009
15:35:36.667600 IP 108.31.185.59.389 > x.x.x.x.27164: UDP, length 2474
15:35:36.667652 IP 76.16.250.71.389 > x.x.x.x.4829: UDP, length 2622
15:35:36.667708 IP 185.3.168.182.389 > x.x.x.x.29749: UDP, length 2816
15:35:36.667798 IP 196.6.233.18.389 > x.x.x.x.45750: UDP, length 2538
15:35:36.667845 IP 91.106.91.12.389 > x.x.x.x.18313: UDP, length 2863
15:35:36.667869 IP 89.218.64.42.389 > x.x.x.x.18313: UDP, length 2799
15:35:36.667909 IP 193.140.41.174.389 > x.x.x.x.45750: UDP, length 3046
15:35:36.667982 IP 76.213.157.105.389 > x.x.x.x.4829: UDP, length 2894
15:35:36.668086 IP 196.30.230.54.389 > x.x.x.x.45750: UDP, length 2706
15:35:36.668188 IP 75.99.131.234.389 > x.x.x.x.4829: UDP, length 2516
15:35:36.668218 IP 196.11.102.164.389 > x.x.x.x.45750: UDP, length 2798
15:35:36.668248 IP 184.69.98.206.389 > x.x.x.x.29749: UDP, length 2857
15:35:36.668267 IP 121.40.104.130.389 > x.x.x.x.27164: UDP, length 2589
15:35:36.668284 IP 109.166.208.171.389 > x.x.x.x.27164: UDP, length 2772
15:35:36.668343 IP 108.74.106.227.389 > x.x.x.x.27164: UDP, length 2904
15:35:36.668383 IP 88.150.147.131.389 > x.x.x.x.18313: UDP, length 2966
15:35:36.668421 IP 88.198.222.112.389 > x.x.x.x.18313: UDP, length 2714
15:35:36.668463 IP 184.106.234.128.389 > x.x.x.x.29749: UDP, length 2631
15:35:36.668468 IP 88.198.90.43.389 > x.x.x.x.18313: UDP, length 1782
15:35:36.668487 IP 194.247.240.50.389 > x.x.x.x.45750: UDP, length 2937
15:35:36.668641 IP 88.84.197.162.389 > x.x.x.x.18313: UDP, length 1785
15:35:36.668835 IP 115.124.66.19.389 > x.x.x.x.27164: UDP, length 2929
15:35:36.668888 IP 119.160.218.42.389 > x.x.x.x.27164: UDP, length 2497
15:35:36.668920 IP 76.104.14.11.389 > x.x.x.x.4829: UDP, length 2566
15:35:36.668944 IP 112.74.167.244.389 > x.x.x.x.27164: UDP, length 2873
15:35:36.669013 IP 116.12.189.33.389 > x.x.x.x.27164: UDP, length 2628
15:35:36.669163 IP 184.106.250.48.389 > x.x.x.x.29749: UDP, length 2600
15:35:36.669215 IP 115.90.181.114.389 > x.x.x.x.27164: UDP, length 2469
15:35:36.669396 IP 196.15.180.8.389 > x.x.x.x.45750: UDP, length 2632
15:35:36.669400 IP 196.15.180.62.389 > x.x.x.x.45750: UDP, length 2684
15:35:36.669417 IP 109.166.153.104.389 > x.x.x.x.27164: UDP, length 2362
15:35:36.669422 IP 197.148.64.80.389 > x.x.x.x.45750: UDP, length 2711
15:35:36.669463 IP 184.106.234.46.389 > x.x.x.x.29749: UDP, length 2747
15:35:36.669535 IP 88.208.119.250.389 > x.x.x.x.18313: UDP, length 3051
15:35:36.669548 IP 88.220.122.52.389 > x.x.x.x.18313: UDP, length 2868
15:35:36.669755 IP 197.81.233.50.389 > x.x.x.x.45750: UDP, length 2472
15:35:36.669766 IP 196.214.87.66.389 > x.x.x.x.45750: UDP, length 2623
15:35:36.669821 IP 88.198.203.195.389 > x.x.x.x.18313: UDP, length 1917
15:35:36.669942 IP 115.178.16.249.389 > x.x.x.x.27164: UDP, length 2996
15:35:36.670003 IP 184.147.198.111.389 > x.x.x.x.29749: UDP, length 2553
15:35:36.670044 IP 75.99.203.190.389 > x.x.x.x.4829: UDP, length 3046
15:35:36.670212 IP 197.249.132.72.389 > x.x.x.x.45750: UDP, length 2449
15:35:36.670286 IP 88.150.188.42.389 > x.x.x.x.18313: UDP, length 2914
15:35:36.670297 IP 184.155.25.26.389 > x.x.x.x.29749: UDP, length 2881
15:35:36.670411 IP 88.82.192.243.389 > x.x.x.x.18313: UDP, length 2501
15:35:36.670414 IP 186.115.11.67.389 > x.x.x.x.4829: UDP, length 2682
15:35:36.670549 IP 75.99.161.82.389 > x.x.x.x.4829: UDP, length 2861
15:35:36.670583 IP 77.120.243.225.389 > x.x.x.x.4829: UDP, length 2508
15:35:36.670657 IP 193.248.203.67.389 > x.x.x.x.45750: UDP, length 2931
15:35:36.670688 IP 75.35.145.219.389 > x.x.x.x.4829: UDP, length 2897
15:35:36.670819 IP 184.149.19.174.389 > x.x.x.x.29749: UDP, length 2579
15:35:36.671004 IP 197.159.49.36.389 > x.x.x.x.45750: UDP, length 2936
15:35:36.671027 IP 79.175.176.14.389 > x.x.x.x.4829: UDP, length 2891
15:35:36.671055 IP 108.29.161.26.389 > x.x.x.x.27164: UDP, length 2561
15:35:36.671075 IP 200.116.120.158.389 > x.x.x.x.45750: UDP, length 2892
15:35:36.671101 IP 196.15.180.2.389 > x.x.x.x.45750: UDP, length 2640
15:35:36.671186 IP 88.159.158.30.389 > x.x.x.x.18313: UDP, length 2574
15:35:36.671228 IP 108.29.99.165.389 > x.x.x.x.27164: UDP, length 2946
15:35:36.671256 IP 88.198.1.28.389 > x.x.x.x.18313: UDP, length 2949

sample packet:

15:37:21.996866 IP (tos 0x0, ttl 117, id 18284, offset 0, flags [+], proto UDP (17), length 1500)
    179.210.166.177.389 > x.x.x.x.45750: UDP, length 2905
	0x0000:  4500 05dc 476c 2000 7511 9265 b3d2 a6b1  E...Gl..u..e....
	0x0010:  2ea6 bd15 0185 b2b6 0b61 9566 3084 0000  .........a.f0...
	0x0020:  0b3d 0201 0764 8400 000b 3404 0030 8400  .=...d....4..0..
	0x0030:  000b 2c30 8400 0000 2604 0b63 7572 7265  ..,0....&..curre
	0x0040:  6e74 5469 6d65 3184 0000 0013 0411 3230  ntTime1.......20
	0x0050:  3137 3037 3035 3135 3337 3232 2e30 5a30  170705153722.0Z0
	0x0060:  8400 0000 5504 1173 7562 7363 6865 6d61  ....U..subschema
	0x0070:  5375 6265 6e74 7279 3184 0000 003c 043a  Subentry1....<.:
	0x0080:  434e 3d41 6767 7265 6761 7465 2c43 4e3d  CN=Aggregate,CN=
	0x0090:  5363 6865 6d61 2c43 4e3d 436f 6e66 6967  Schema,CN=Config
	0x00a0:  7572 6174 696f 6e2c 4443 3d45 434f 5445  uration,DC=ECOTE
	0x00b0:  502c 4443 3d6c 6f63 616c 3084 0000 0086  P,DC=local0.....
	0x00c0:  040d 6473 5365 7276 6963 654e 616d 6531  ..dsServiceName1
	0x00d0:  8400 0000 7104 6f43 4e3d 4e54 4453 2053  ....q.oCN=NTDS.S
	0x00e0:  6574 7469 6e67 732c 434e 3d45 434f 5352  ettings,CN=ECOSR
	0x00f0:  5630 322c 434e 3d53 6572 7665 7273 2c43  V02,CN=Servers,C
	0x0100:  4e3d 4465 6661 756c 742d 4669 7273 742d  N=Default-First-
	0x0110:  5369 7465 2d4e 616d 652c 434e 3d53 6974  Site-Name,CN=Sit
	0x0120:  6573 2c43 4e3d 436f 6e66 6967 7572 6174  es,CN=Configurat
	0x0130:  696f 6e2c 4443 3d45 434f 5445 502c 4443  ion,DC=ECOTEP,DC
	0x0140:  3d6c 6f63 616c 3084 0000 00ca 040e 6e61  =local0.......na
	0x0150:  6d69 6e67 436f 6e74 6578 7473 3184 0000  mingContexts1...
	0x0160:  00b4 0412 4443 3d45 434f 5445 502c 4443  ....DC=ECOTEP,DC
	0x0170:  3d6c 6f63 616c 0423 434e 3d43 6f6e 6669  =local.#CN=Confi
	0x0180:  6775 7261 7469 6f6e 2c44 433d 4543 4f54  guration,DC=ECOT
	0x0190:  4550 2c44 433d 6c6f 6361 6c04 2d43 4e3d  EP,DC=local.-CN=
	0x01a0:  5363 6865 6d61 2c43 4e3d 436f 6e66 6967  Schema,CN=Config
	0x01b0:  7572 6174 696f 6e2c 4443 3d45 434f 5445  uration,DC=ECOTE
	0x01c0:  502c 4443 3d6c 6f63 616c 0424 4443 3d44  P,DC=local.$DC=D
	0x01d0:  6f6d 6169 6e44 6e73 5a6f 6e65 732c 4443  omainDnsZones,DC
	0x01e0:  3d45 434f 5445 502c 4443 3d6c 6f63 616c  =ECOTEP,DC=local
	0x01f0:  0424 4443 3d46 6f72 6573 7444 6e73 5a6f  .$DC=ForestDnsZo
	0x0200:  6e65 732c 4443 3d45 434f 5445 502c 4443  nes,DC=ECOTEP,DC
	0x0210:  3d6c 6f63 616c 3084 0000 0030 0414 6465  =local0....0..de
	0x0220:  6661 756c 744e 616d 696e 6743 6f6e 7465  faultNamingConte
	0x0230:  7874 3184 0000 0014 0412 4443 3d45 434f  xt1.......DC=ECO
	0x0240:  5445 502c 4443 3d6c 6f63 616c 3084 0000  TEP,DC=local0...
	0x0250:  004a 0413 7363 6865 6d61 4e61 6d69 6e67  .J..schemaNaming
	0x0260:  436f 6e74 6578 7431 8400 0000 2f04 2d43  Context1..../.-C
	0x0270:  4e3d 5363 6865 6d61 2c43 4e3d 436f 6e66  N=Schema,CN=Conf
	0x0280:  6967 7572 6174 696f 6e2c 4443 3d45 434f  iguration,DC=ECO
	0x0290:  5445 502c 4443 3d6c 6f63 616c 3084 0000  TEP,DC=local0...
	0x02a0:  0047 041a 636f 6e66 6967 7572 6174 696f  .G..configuratio
	0x02b0:  6e4e 616d 696e 6743 6f6e 7465 7874 3184  nNamingContext1.
	0x02c0:  0000 0025 0423 434e 3d43 6f6e 6669 6775  ...%.#CN=Configu
	0x02d0:  7261 7469 6f6e 2c44 433d 4543 4f54 4550  ration,DC=ECOTEP
	0x02e0:  2c44 433d 6c6f 6361 6c30 8400 0000 3304  ,DC=local0....3.
	0x02f0:  1772 6f6f 7444 6f6d 6169 6e4e 616d 696e  .rootDomainNamin
	0x0300:  6743 6f6e 7465 7874 3184 0000 0014 0412  gContext1.......
	0x0310:  4443 3d45 434f 5445 502c 4443 3d6c 6f63  DC=ECOTEP,DC=loc
	0x0320:  616c 3084 0000 03a9 0410 7375 7070 6f72  al0.......suppor
	0x0330:  7465 6443 6f6e 7472 6f6c 3184 0000 0391  tedControl1.....
	0x0340:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0350:  2e31 2e34 2e33 3139 0416 312e 322e 3834  .1.4.319..1.2.84
	0x0360:  302e 3131 3335 3536 2e31 2e34 2e38 3031  0.113556.1.4.801
	0x0370:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0380:  2e31 2e34 2e34 3733 0416 312e 322e 3834  .1.4.473..1.2.84
	0x0390:  302e 3131 3335 3536 2e31 2e34 2e35 3238  0.113556.1.4.528
	0x03a0:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x03b0:  2e31 2e34 2e34 3137 0416 312e 322e 3834  .1.4.417..1.2.84
	0x03c0:  302e 3131 3335 3536 2e31 2e34 2e36 3139  0.113556.1.4.619
	0x03d0:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x03e0:  2e31 2e34 2e38 3431 0416 312e 322e 3834  .1.4.841..1.2.84
	0x03f0:  302e 3131 3335 3536 2e31 2e34 2e35 3239  0.113556.1.4.529
	0x0400:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0410:  2e31 2e34 2e38 3035 0416 312e 322e 3834  .1.4.805..1.2.84
	0x0420:  302e 3131 3335 3536 2e31 2e34 2e35 3231  0.113556.1.4.521
	0x0430:  0416 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0440:  2e31 2e34 2e39 3730 0417 312e 322e 3834  .1.4.970..1.2.84
	0x0450:  302e 3131 3335 3536 2e31 2e34 2e31 3333  0.113556.1.4.133
	0x0460:  3804 1631 2e32 2e38 3430 2e31 3133 3535  8..1.2.840.11355
	0x0470:  362e 312e 342e 3437 3404 1731 2e32 2e38  6.1.4.474..1.2.8
	0x0480:  3430 2e31 3133 3535 362e 312e 342e 3133  40.113556.1.4.13
	0x0490:  3339 0417 312e 322e 3834 302e 3131 3335  39..1.2.840.1135
	0x04a0:  3536 2e31 2e34 2e31 3334 3004 1731 2e32  56.1.4.1340..1.2
	0x04b0:  2e38 3430 2e31 3133 3535 362e 312e 342e  .840.113556.1.4.
	0x04c0:  3134 3133 0417 322e 3136 2e38 3430 2e31  1413..2.16.840.1
	0x04d0:  2e31 3133 3733 302e 332e 342e 3904 1832  .113730.3.4.9..2
	0x04e0:  2e31 362e 3834 302e 312e 3131 3337 3330  .16.840.1.113730
	0x04f0:  2e33 2e34 2e31 3004 1731 2e32 2e38 3430  .3.4.10..1.2.840
	0x0500:  2e31 3133 3535 362e 312e 342e 3135 3034  .113556.1.4.1504
	0x0510:  0417 312e 322e 3834 302e 3131 3335 3536  ..1.2.840.113556
	0x0520:  2e31 2e34 2e31 3835 3204 1631 2e32 2e38  .1.4.1852..1.2.8
	0x0530:  3430 2e31 3133 3535 362e 312e 342e 3830  40.113556.1.4.80
	0x0540:  3204 1731 2e32 2e38 3430 2e31 3133 3535  2..1.2.840.11355
	0x0550:  362e 312e 342e 3139 3037 0417 312e 322e  6.1.4.1907..1.2.
	0x0560:  3834 302e 3131 3335 3536 2e31 2e34 2e31  840.113556.1.4.1
	0x0570:  3934 3804 1731 2e32 2e38 3430 2e31 3133  948..1.2.840.113
	0x0580:  3535 362e 312e 342e 3139 3734 0417 312e  556.1.4.1974..1.
	0x0590:  322e 3834 302e 3131 3335 3536 2e31 2e34  2.840.113556.1.4
	0x05a0:  2e31 3334 3104 1731 2e32 2e38 3430 2e31  .1341..1.2.840.1
	0x05b0:  3133 3535 362e 312e 342e 3230 3236 0417  13556.1.4.2026..
	0x05c0:  312e 322e 3834 302e 3131 3335 3536 2e31  1.2.840.113556.1
	0x05d0:  2e34 2e32 3036 3404 1731 2e32            .4.2064..1.2

DDoS reflection attacks – udp 1900

So it happened… today a company I work with received their first ddos attack with source port 1900 udp.

Recorded attack peak was 1301 MBit/s with 530463 packets/s

I didn’t had the time to take a full network traffic dump as the attack cheased shortly, these were three most offending attackers in case someone is looking for additional infos/reasearches/inspections:

77.109.241.234
74.36.12.13
218.65.201.212
Nmap scan report for adsl-77-109-241-234.kymp.net (77.109.241.234) 
Host is up (0.098s latency). 
 
PORT STATE SERVICE 
1900/udp open|filtered upnp 
Too many fingerprints match this host to give specific OS details
Nmap scan report for 74-36-12-13.dr01.aurr.mn.frontiernet.net (74.36.12.13) 
Host is up (0.022s latency). 
 
PORT STATE SERVICE 
1900/udp open|filtered upnp 
 
Aggressive OS guesses: Aerohive HiveAP 320 WAP (HiveOS 3.4) (95%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (95%), Allnet 2210 webcam, Cisco MDS 9124 or 9216i switch (SAN-OS 3.1 - 3.2), or Nortel IP Phone 1535 (95%), Aruba 3400 or 6000 wireless LAN controller (ArubaOS 3.3.2) (95%), AT&T 3G MicroCell WAP (95%), Avocent AutoView or DSR2020 KVM switch (95%), Avocent DSR1021 KVM switch (95%), AXIS 211A Network Camera (Linux 2.6) (95%), AXIS 211A Network Camera (Linux 2.6.20) (95%), Buffalo TeraStation Pro III NAS device (95%) 
No exact OS matches for host (test conditions non-ideal).
Nmap scan report for 218.65.201.212 
Host is up (0.020s latency). 
 
PORT STATE SERVICE 
1900/udp open|filtered upnp 
 
Aggressive OS guesses: Sphairon Turbolink IAD DSL modem (97%), 3Com OfficeConnect 3CRWER100-75 wireless broadband router (96%), 3Com OfficeConnect 3CRWER100-75 wireless router (96%), Aastra RFP L32 IP DECT WAP (96%), Acorp W400G or W422G wireless ADSL modem (MontaVista embedded Linux 2.4.17) (96%), Actiontec GT701 DSL modem (96%), Aerohive HiveAP 320 WAP (HiveOS 3.4) (96%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (96%), Alcatel-Lucent OmniPCX Enterprise PBX (Linux 2.4.17) (96%), Sirio by Alice VoIP phone (96%) 
No exact OS matches for host (test conditions non-ideal).

Apparently those are just residential IP addresses running vulnerable routers with UPNP services exposed on the WAN side.

There were tens of thounsands attacking a single IP in total… Single pps rate was very very low (for example 74.36.12.13 was pushing out just 200pps and it was one of the top offenders)

Blocking outgoing wordpress bruteforces

Just an emergency fix to deploy while searching for the root cause of outgoing bruteforce hacks

iptables -I OUTPUT -p tcp -m multiport --dports 80 -m tcp -m string --algo bm --string "wp-login.php" -j DROP

NTP reflected ddos list and iptables ruleset

Just a list if you are looking to build your own botnet out of servers badly managed running unsecure NTP daemon installations that can be exploited to deliver reflected ddos attacks.

iptables filtering ruleset (when not running an ntp daemon)

iptables -t raw -I PREROUTING -p udp --dport 123 -j DROP

870 hosts totalling 2.5gbit/sec, full list follows

Continue reading “NTP reflected ddos list and iptables ruleset”

Telecom Italia making use of ARIN / AT&T networks for internal private routing

C:\Users\Marco>tracert -w 100  172.15.5.233
 
Traccia instradamento verso 172.15.5.233 su un massimo di 30 punti di passaggio
 
  1    &lt;1 ms    &lt;1 ms    &lt;1 ms  internet.gateway [192.168.0.200]
  2     *        *        *     Richiesta scaduta.
  3     9 ms     9 ms     9 ms  172.17.81.21
  4     9 ms     9 ms    10 ms  172.17.80.9
  5    18 ms    19 ms    20 ms  172.17.6.181
  6    17 ms    15 ms    15 ms  172.15.5.233
 
Traccia completata.

More amusing traceroutes can be seen here:
https://www.google.it/search?q=telecom+italia+tracert+”172.15.5.233″

NetRange:       172.0.0.0 - 172.15.255.255
CIDR:           172.0.0.0/12
OriginAS:       AS7132
NetName:        SIS-80-8-2012
NetHandle:      NET-172-0-0-0-1
Parent:         NET-172-0-0-0-0
NetType:        Direct Allocation
RegDate:        2012-08-20
Updated:        2012-08-20
Ref:            http://whois.arin.net/rest/net/NET-172-0-0-0-1

Are they aware that only 172.16.0.0/12 is reserved for private use and not the whole 172/8 as per RFC1918?

You are copying the bad things of fastweb… We want FTTH connections not RFC violations!

Continue reading “Telecom Italia making use of ARIN / AT&T networks for internal private routing”

Solaris in.routed (udp 520) reflected ddos

Another service being exploited…
this time instead of chargen or the usual dns (UDP 53) the sources of the attack appeared to be running Solaris in.routed service (source port UDP 520)

if you are running an unsecured box please CLOSE THAT FUCKING PORT (IN UDP 520) or at least do some proper rate limiting!
if you are a carrier/ISP that allows spoofed traffic to leave your network: HOPE YOU GET BANKRUPT AND CLOSE YOUR FUCKING DOORS FOR GOOD!

read more for additional details and logs

Continue reading “Solaris in.routed (udp 520) reflected ddos”

Chargen (UDP port 19) – Reflected ddos

Lately I’m seeing chargen service being abused a lot to execute distributed denial of service attacks.
It’s not just “standard ddos”… it’s a reflected ddos with a massive amplification rate!!!
(Amplification rate can be as high as 512x… that means with that just a 100mbit pipe a malicius attacker could easely accomplish a 10gbit+ ddos!)

What is chargen?

From wikipedia:
In the UDP implementation of the protocol, the server sends a UDP datagram containing a random number (between 0 and 512) of characters every time it receives a datagram from the connecting host.

Apparently there’s absolutely no handshake at all with chargen… only the TCP version (obviously) requires handshake…

How are hosts running chargen (UDP) used as botnets?

To execute the attack people are sending spoofed UDP packets with a forged source IP address to hundreds of hosts running chargen (and there are many of them!).
These hosts just reply to the apparent source of such packet as they are intendend to do… the problem is that they are replying to the forged IP address… that host has never requested something to them!

Is my machine vulnerable?

To test if your machine could be exploited just run:

echo t | nc -u X.X.X.X 19

replace X.X.X.X with an IP running chargen… If you got a reply you just found a host that can be used as part of a ddos botnet…

How can I make my machine secure?

disable chargen service:
(please be aware of another weak point of chargen: looks like it can also be used to let machines running chargen attack each-other… guess what happens when you have two chargen sending packets each other with to&from port 19 udp… we got a loop! :D)

if you are running chargen on one of your hosts: CLOSE THAT PORT (IN UDP 19)!
if you are a carrier/ISP that allows spoofed traffic to leave your network: HOPE YOU GET BANKRUPT AND CLOSE YOUR DOORS FOR GOOD!

ktnxbye

read more for additional details and logs

Continue reading “Chargen (UDP port 19) – Reflected ddos”