while looking for additional fragments with tcpump
tcpdump -i any -nnvvXS '((ip[6:2] > 0) and (not ip[6] = 64))' |
run a DNS query that produces a fragmented reply
dig ANY financialresearch.gov @208.67.222.222 |
my own pastebin
while looking for additional fragments with tcpump
tcpdump -i any -nnvvXS '((ip[6:2] > 0) and (not ip[6] = 64))' |
run a DNS query that produces a fragmented reply
dig ANY financialresearch.gov @208.67.222.222 |
Here comes just another volumetric DDoS reflected attack.
This time it’s from Apple Remote Desktop (UDP) protocol
The amplification rate looks quite good (35:1)
Apparently there are many hosts online to pick from
65,538 on Shodan right now, seems
https://www.shodan.io/search?query=port%3A3283
A lot of Macstadium host are actively being exploited apparently
If you have your Apple MAC in a DMZ or directly with public IP please properly secure port 3283
Searching online seems someone else is actually seeing this pattern.
Arbor (Netscout) has some more detailed infos published: https://www.netscout.com/blog/asert/call-arms-apple-remote-management-service-udp
LDAP reflected ddos
tcpdump -nn -i em1 udp and port 389 15:35:36.667005 IP 75.99.0.158.389 > x.x.x.x.4829: UDP, length 2804 15:35:36.667065 IP 192.162.242.123.389 > x.x.x.x.45750: UDP, length 2993 15:35:36.667105 IP 210.3.1.38.389 > x.x.x.x.61703: UDP, length 2687 15:35:36.667260 IP 210.211.126.112.389 > x.x.x.x.61703: UDP, length 2591 15:35:36.667318 IP 88.198.78.124.389 > x.x.x.x.18313: UDP, length 2955 15:35:36.667407 IP 192.186.71.248.389 > x.x.x.x.45750: UDP, length 3088 15:35:36.667420 IP 193.158.199.220.389 > x.x.x.x.45750: UDP, length 2582 15:35:36.667453 IP 108.60.201.51.389 > x.x.x.x.27164: UDP, length 2969 15:35:36.667472 IP 211.144.154.13.389 > x.x.x.x.61703: UDP, length 2395 15:35:36.667551 IP 78.140.59.119.389 > x.x.x.x.4829: UDP, length 2368 15:35:36.667562 IP 197.231.192.44.389 > x.x.x.x.45750: UDP, length 2959 15:35:36.667575 IP 185.104.180.89.389 > x.x.x.x.29749: UDP, length 3009 15:35:36.667600 IP 108.31.185.59.389 > x.x.x.x.27164: UDP, length 2474 15:35:36.667652 IP 76.16.250.71.389 > x.x.x.x.4829: UDP, length 2622 15:35:36.667708 IP 185.3.168.182.389 > x.x.x.x.29749: UDP, length 2816 15:35:36.667798 IP 196.6.233.18.389 > x.x.x.x.45750: UDP, length 2538 15:35:36.667845 IP 91.106.91.12.389 > x.x.x.x.18313: UDP, length 2863 15:35:36.667869 IP 89.218.64.42.389 > x.x.x.x.18313: UDP, length 2799 15:35:36.667909 IP 193.140.41.174.389 > x.x.x.x.45750: UDP, length 3046 15:35:36.667982 IP 76.213.157.105.389 > x.x.x.x.4829: UDP, length 2894 15:35:36.668086 IP 196.30.230.54.389 > x.x.x.x.45750: UDP, length 2706 15:35:36.668188 IP 75.99.131.234.389 > x.x.x.x.4829: UDP, length 2516 15:35:36.668218 IP 196.11.102.164.389 > x.x.x.x.45750: UDP, length 2798 15:35:36.668248 IP 184.69.98.206.389 > x.x.x.x.29749: UDP, length 2857 15:35:36.668267 IP 121.40.104.130.389 > x.x.x.x.27164: UDP, length 2589 15:35:36.668284 IP 109.166.208.171.389 > x.x.x.x.27164: UDP, length 2772 15:35:36.668343 IP 108.74.106.227.389 > x.x.x.x.27164: UDP, length 2904 15:35:36.668383 IP 88.150.147.131.389 > x.x.x.x.18313: UDP, length 2966 15:35:36.668421 IP 88.198.222.112.389 > x.x.x.x.18313: UDP, length 2714 15:35:36.668463 IP 184.106.234.128.389 > x.x.x.x.29749: UDP, length 2631 15:35:36.668468 IP 88.198.90.43.389 > x.x.x.x.18313: UDP, length 1782 15:35:36.668487 IP 194.247.240.50.389 > x.x.x.x.45750: UDP, length 2937 15:35:36.668641 IP 88.84.197.162.389 > x.x.x.x.18313: UDP, length 1785 15:35:36.668835 IP 115.124.66.19.389 > x.x.x.x.27164: UDP, length 2929 15:35:36.668888 IP 119.160.218.42.389 > x.x.x.x.27164: UDP, length 2497 15:35:36.668920 IP 76.104.14.11.389 > x.x.x.x.4829: UDP, length 2566 15:35:36.668944 IP 112.74.167.244.389 > x.x.x.x.27164: UDP, length 2873 15:35:36.669013 IP 116.12.189.33.389 > x.x.x.x.27164: UDP, length 2628 15:35:36.669163 IP 184.106.250.48.389 > x.x.x.x.29749: UDP, length 2600 15:35:36.669215 IP 115.90.181.114.389 > x.x.x.x.27164: UDP, length 2469 15:35:36.669396 IP 196.15.180.8.389 > x.x.x.x.45750: UDP, length 2632 15:35:36.669400 IP 196.15.180.62.389 > x.x.x.x.45750: UDP, length 2684 15:35:36.669417 IP 109.166.153.104.389 > x.x.x.x.27164: UDP, length 2362 15:35:36.669422 IP 197.148.64.80.389 > x.x.x.x.45750: UDP, length 2711 15:35:36.669463 IP 184.106.234.46.389 > x.x.x.x.29749: UDP, length 2747 15:35:36.669535 IP 88.208.119.250.389 > x.x.x.x.18313: UDP, length 3051 15:35:36.669548 IP 88.220.122.52.389 > x.x.x.x.18313: UDP, length 2868 15:35:36.669755 IP 197.81.233.50.389 > x.x.x.x.45750: UDP, length 2472 15:35:36.669766 IP 196.214.87.66.389 > x.x.x.x.45750: UDP, length 2623 15:35:36.669821 IP 88.198.203.195.389 > x.x.x.x.18313: UDP, length 1917 15:35:36.669942 IP 115.178.16.249.389 > x.x.x.x.27164: UDP, length 2996 15:35:36.670003 IP 184.147.198.111.389 > x.x.x.x.29749: UDP, length 2553 15:35:36.670044 IP 75.99.203.190.389 > x.x.x.x.4829: UDP, length 3046 15:35:36.670212 IP 197.249.132.72.389 > x.x.x.x.45750: UDP, length 2449 15:35:36.670286 IP 88.150.188.42.389 > x.x.x.x.18313: UDP, length 2914 15:35:36.670297 IP 184.155.25.26.389 > x.x.x.x.29749: UDP, length 2881 15:35:36.670411 IP 88.82.192.243.389 > x.x.x.x.18313: UDP, length 2501 15:35:36.670414 IP 186.115.11.67.389 > x.x.x.x.4829: UDP, length 2682 15:35:36.670549 IP 75.99.161.82.389 > x.x.x.x.4829: UDP, length 2861 15:35:36.670583 IP 77.120.243.225.389 > x.x.x.x.4829: UDP, length 2508 15:35:36.670657 IP 193.248.203.67.389 > x.x.x.x.45750: UDP, length 2931 15:35:36.670688 IP 75.35.145.219.389 > x.x.x.x.4829: UDP, length 2897 15:35:36.670819 IP 184.149.19.174.389 > x.x.x.x.29749: UDP, length 2579 15:35:36.671004 IP 197.159.49.36.389 > x.x.x.x.45750: UDP, length 2936 15:35:36.671027 IP 79.175.176.14.389 > x.x.x.x.4829: UDP, length 2891 15:35:36.671055 IP 108.29.161.26.389 > x.x.x.x.27164: UDP, length 2561 15:35:36.671075 IP 200.116.120.158.389 > x.x.x.x.45750: UDP, length 2892 15:35:36.671101 IP 196.15.180.2.389 > x.x.x.x.45750: UDP, length 2640 15:35:36.671186 IP 88.159.158.30.389 > x.x.x.x.18313: UDP, length 2574 15:35:36.671228 IP 108.29.99.165.389 > x.x.x.x.27164: UDP, length 2946 15:35:36.671256 IP 88.198.1.28.389 > x.x.x.x.18313: UDP, length 2949 |
sample packet:
15:37:21.996866 IP (tos 0x0, ttl 117, id 18284, offset 0, flags [+], proto UDP (17), length 1500) 179.210.166.177.389 > x.x.x.x.45750: UDP, length 2905 0x0000: 4500 05dc 476c 2000 7511 9265 b3d2 a6b1 E...Gl..u..e.... 0x0010: 2ea6 bd15 0185 b2b6 0b61 9566 3084 0000 .........a.f0... 0x0020: 0b3d 0201 0764 8400 000b 3404 0030 8400 .=...d....4..0.. 0x0030: 000b 2c30 8400 0000 2604 0b63 7572 7265 ..,0....&..curre 0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1.......20 0x0050: 3137 3037 3035 3135 3337 3232 2e30 5a30 170705153722.0Z0 0x0060: 8400 0000 5504 1173 7562 7363 6865 6d61 ....U..subschema 0x0070: 5375 6265 6e74 7279 3184 0000 003c 043a Subentry1....<.: 0x0080: 434e 3d41 6767 7265 6761 7465 2c43 4e3d CN=Aggregate,CN= 0x0090: 5363 6865 6d61 2c43 4e3d 436f 6e66 6967 Schema,CN=Config 0x00a0: 7572 6174 696f 6e2c 4443 3d45 434f 5445 uration,DC=ECOTE 0x00b0: 502c 4443 3d6c 6f63 616c 3084 0000 0086 P,DC=local0..... 0x00c0: 040d 6473 5365 7276 6963 654e 616d 6531 ..dsServiceName1 0x00d0: 8400 0000 7104 6f43 4e3d 4e54 4453 2053 ....q.oCN=NTDS.S 0x00e0: 6574 7469 6e67 732c 434e 3d45 434f 5352 ettings,CN=ECOSR 0x00f0: 5630 322c 434e 3d53 6572 7665 7273 2c43 V02,CN=Servers,C 0x0100: 4e3d 4465 6661 756c 742d 4669 7273 742d N=Default-First- 0x0110: 5369 7465 2d4e 616d 652c 434e 3d53 6974 Site-Name,CN=Sit 0x0120: 6573 2c43 4e3d 436f 6e66 6967 7572 6174 es,CN=Configurat 0x0130: 696f 6e2c 4443 3d45 434f 5445 502c 4443 ion,DC=ECOTEP,DC 0x0140: 3d6c 6f63 616c 3084 0000 00ca 040e 6e61 =local0.......na 0x0150: 6d69 6e67 436f 6e74 6578 7473 3184 0000 mingContexts1... 0x0160: 00b4 0412 4443 3d45 434f 5445 502c 4443 ....DC=ECOTEP,DC 0x0170: 3d6c 6f63 616c 0423 434e 3d43 6f6e 6669 =local.#CN=Confi 0x0180: 6775 7261 7469 6f6e 2c44 433d 4543 4f54 guration,DC=ECOT 0x0190: 4550 2c44 433d 6c6f 6361 6c04 2d43 4e3d EP,DC=local.-CN= 0x01a0: 5363 6865 6d61 2c43 4e3d 436f 6e66 6967 Schema,CN=Config 0x01b0: 7572 6174 696f 6e2c 4443 3d45 434f 5445 uration,DC=ECOTE 0x01c0: 502c 4443 3d6c 6f63 616c 0424 4443 3d44 P,DC=local.$DC=D 0x01d0: 6f6d 6169 6e44 6e73 5a6f 6e65 732c 4443 omainDnsZones,DC 0x01e0: 3d45 434f 5445 502c 4443 3d6c 6f63 616c =ECOTEP,DC=local 0x01f0: 0424 4443 3d46 6f72 6573 7444 6e73 5a6f .$DC=ForestDnsZo 0x0200: 6e65 732c 4443 3d45 434f 5445 502c 4443 nes,DC=ECOTEP,DC 0x0210: 3d6c 6f63 616c 3084 0000 0030 0414 6465 =local0....0..de 0x0220: 6661 756c 744e 616d 696e 6743 6f6e 7465 faultNamingConte 0x0230: 7874 3184 0000 0014 0412 4443 3d45 434f xt1.......DC=ECO 0x0240: 5445 502c 4443 3d6c 6f63 616c 3084 0000 TEP,DC=local0... 0x0250: 004a 0413 7363 6865 6d61 4e61 6d69 6e67 .J..schemaNaming 0x0260: 436f 6e74 6578 7431 8400 0000 2f04 2d43 Context1..../.-C 0x0270: 4e3d 5363 6865 6d61 2c43 4e3d 436f 6e66 N=Schema,CN=Conf 0x0280: 6967 7572 6174 696f 6e2c 4443 3d45 434f iguration,DC=ECO 0x0290: 5445 502c 4443 3d6c 6f63 616c 3084 0000 TEP,DC=local0... 0x02a0: 0047 041a 636f 6e66 6967 7572 6174 696f .G..configuratio 0x02b0: 6e4e 616d 696e 6743 6f6e 7465 7874 3184 nNamingContext1. 0x02c0: 0000 0025 0423 434e 3d43 6f6e 6669 6775 ...%.#CN=Configu 0x02d0: 7261 7469 6f6e 2c44 433d 4543 4f54 4550 ration,DC=ECOTEP 0x02e0: 2c44 433d 6c6f 6361 6c30 8400 0000 3304 ,DC=local0....3. 0x02f0: 1772 6f6f 7444 6f6d 6169 6e4e 616d 696e .rootDomainNamin 0x0300: 6743 6f6e 7465 7874 3184 0000 0014 0412 gContext1....... 0x0310: 4443 3d45 434f 5445 502c 4443 3d6c 6f63 DC=ECOTEP,DC=loc 0x0320: 616c 3084 0000 03a9 0410 7375 7070 6f72 al0.......suppor 0x0330: 7465 6443 6f6e 7472 6f6c 3184 0000 0391 tedControl1..... 0x0340: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556 0x0350: 2e31 2e34 2e33 3139 0416 312e 322e 3834 .1.4.319..1.2.84 0x0360: 302e 3131 3335 3536 2e31 2e34 2e38 3031 0.113556.1.4.801 0x0370: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556 0x0380: 2e31 2e34 2e34 3733 0416 312e 322e 3834 .1.4.473..1.2.84 0x0390: 302e 3131 3335 3536 2e31 2e34 2e35 3238 0.113556.1.4.528 0x03a0: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556 0x03b0: 2e31 2e34 2e34 3137 0416 312e 322e 3834 .1.4.417..1.2.84 0x03c0: 302e 3131 3335 3536 2e31 2e34 2e36 3139 0.113556.1.4.619 0x03d0: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556 0x03e0: 2e31 2e34 2e38 3431 0416 312e 322e 3834 .1.4.841..1.2.84 0x03f0: 302e 3131 3335 3536 2e31 2e34 2e35 3239 0.113556.1.4.529 0x0400: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556 0x0410: 2e31 2e34 2e38 3035 0416 312e 322e 3834 .1.4.805..1.2.84 0x0420: 302e 3131 3335 3536 2e31 2e34 2e35 3231 0.113556.1.4.521 0x0430: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556 0x0440: 2e31 2e34 2e39 3730 0417 312e 322e 3834 .1.4.970..1.2.84 0x0450: 302e 3131 3335 3536 2e31 2e34 2e31 3333 0.113556.1.4.133 0x0460: 3804 1631 2e32 2e38 3430 2e31 3133 3535 8..1.2.840.11355 0x0470: 362e 312e 342e 3437 3404 1731 2e32 2e38 6.1.4.474..1.2.8 0x0480: 3430 2e31 3133 3535 362e 312e 342e 3133 40.113556.1.4.13 0x0490: 3339 0417 312e 322e 3834 302e 3131 3335 39..1.2.840.1135 0x04a0: 3536 2e31 2e34 2e31 3334 3004 1731 2e32 56.1.4.1340..1.2 0x04b0: 2e38 3430 2e31 3133 3535 362e 312e 342e .840.113556.1.4. 0x04c0: 3134 3133 0417 322e 3136 2e38 3430 2e31 1413..2.16.840.1 0x04d0: 2e31 3133 3733 302e 332e 342e 3904 1832 .113730.3.4.9..2 0x04e0: 2e31 362e 3834 302e 312e 3131 3337 3330 .16.840.1.113730 0x04f0: 2e33 2e34 2e31 3004 1731 2e32 2e38 3430 .3.4.10..1.2.840 0x0500: 2e31 3133 3535 362e 312e 342e 3135 3034 .113556.1.4.1504 0x0510: 0417 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556 0x0520: 2e31 2e34 2e31 3835 3204 1631 2e32 2e38 .1.4.1852..1.2.8 0x0530: 3430 2e31 3133 3535 362e 312e 342e 3830 40.113556.1.4.80 0x0540: 3204 1731 2e32 2e38 3430 2e31 3133 3535 2..1.2.840.11355 0x0550: 362e 312e 342e 3139 3037 0417 312e 322e 6.1.4.1907..1.2. 0x0560: 3834 302e 3131 3335 3536 2e31 2e34 2e31 840.113556.1.4.1 0x0570: 3934 3804 1731 2e32 2e38 3430 2e31 3133 948..1.2.840.113 0x0580: 3535 362e 312e 342e 3139 3734 0417 312e 556.1.4.1974..1. 0x0590: 322e 3834 302e 3131 3335 3536 2e31 2e34 2.840.113556.1.4 0x05a0: 2e31 3334 3104 1731 2e32 2e38 3430 2e31 .1341..1.2.840.1 0x05b0: 3133 3535 362e 312e 342e 3230 3236 0417 13556.1.4.2026.. 0x05c0: 312e 322e 3834 302e 3131 3335 3536 2e31 1.2.840.113556.1 0x05d0: 2e34 2e32 3036 3404 1731 2e32 .4.2064..1.2 |
So it happened… today a company I work with received their first ddos attack with source port 1900 udp.
Recorded attack peak was 1301 MBit/s with 530463 packets/s
I didn’t had the time to take a full network traffic dump as the attack cheased shortly, these were three most offending attackers in case someone is looking for additional infos/reasearches/inspections:
77.109.241.234 74.36.12.13 218.65.201.212 |
Nmap scan report for adsl-77-109-241-234.kymp.net (77.109.241.234) Host is up (0.098s latency). PORT STATE SERVICE 1900/udp open|filtered upnp Too many fingerprints match this host to give specific OS details |
Nmap scan report for 74-36-12-13.dr01.aurr.mn.frontiernet.net (74.36.12.13) Host is up (0.022s latency). PORT STATE SERVICE 1900/udp open|filtered upnp Aggressive OS guesses: Aerohive HiveAP 320 WAP (HiveOS 3.4) (95%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (95%), Allnet 2210 webcam, Cisco MDS 9124 or 9216i switch (SAN-OS 3.1 - 3.2), or Nortel IP Phone 1535 (95%), Aruba 3400 or 6000 wireless LAN controller (ArubaOS 3.3.2) (95%), AT&T 3G MicroCell WAP (95%), Avocent AutoView or DSR2020 KVM switch (95%), Avocent DSR1021 KVM switch (95%), AXIS 211A Network Camera (Linux 2.6) (95%), AXIS 211A Network Camera (Linux 2.6.20) (95%), Buffalo TeraStation Pro III NAS device (95%) No exact OS matches for host (test conditions non-ideal). |
Nmap scan report for 218.65.201.212 Host is up (0.020s latency). PORT STATE SERVICE 1900/udp open|filtered upnp Aggressive OS guesses: Sphairon Turbolink IAD DSL modem (97%), 3Com OfficeConnect 3CRWER100-75 wireless broadband router (96%), 3Com OfficeConnect 3CRWER100-75 wireless router (96%), Aastra RFP L32 IP DECT WAP (96%), Acorp W400G or W422G wireless ADSL modem (MontaVista embedded Linux 2.4.17) (96%), Actiontec GT701 DSL modem (96%), Aerohive HiveAP 320 WAP (HiveOS 3.4) (96%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (96%), Alcatel-Lucent OmniPCX Enterprise PBX (Linux 2.4.17) (96%), Sirio by Alice VoIP phone (96%) No exact OS matches for host (test conditions non-ideal). |
Apparently those are just residential IP addresses running vulnerable routers with UPNP services exposed on the WAN side.
There were tens of thounsands attacking a single IP in total… Single pps rate was very very low (for example 74.36.12.13 was pushing out just 200pps and it was one of the top offenders)
Just an emergency fix to deploy while searching for the root cause of outgoing bruteforce hacks
iptables -I OUTPUT -p tcp -m multiport --dports 80 -m tcp -m string --algo bm --string "wp-login.php" -j DROP |
Just a list if you are looking to build your own botnet out of servers badly managed running unsecure NTP daemon installations that can be exploited to deliver reflected ddos attacks.
iptables filtering ruleset (when not running an ntp daemon)
iptables -t raw -I PREROUTING -p udp --dport 123 -j DROP |
870 hosts totalling 2.5gbit/sec, full list follows
Continue reading “NTP reflected ddos list and iptables ruleset”
C:\Users\Marco>tracert -w 100 172.15.5.233 Traccia instradamento verso 172.15.5.233 su un massimo di 30 punti di passaggio 1 <1 ms <1 ms <1 ms internet.gateway [192.168.0.200] 2 * * * Richiesta scaduta. 3 9 ms 9 ms 9 ms 172.17.81.21 4 9 ms 9 ms 10 ms 172.17.80.9 5 18 ms 19 ms 20 ms 172.17.6.181 6 17 ms 15 ms 15 ms 172.15.5.233 Traccia completata. |
More amusing traceroutes can be seen here:
https://www.google.it/search?q=telecom+italia+tracert+”172.15.5.233″
NetRange: 172.0.0.0 - 172.15.255.255 CIDR: 172.0.0.0/12 OriginAS: AS7132 NetName: SIS-80-8-2012 NetHandle: NET-172-0-0-0-1 Parent: NET-172-0-0-0-0 NetType: Direct Allocation RegDate: 2012-08-20 Updated: 2012-08-20 Ref: http://whois.arin.net/rest/net/NET-172-0-0-0-1 |
Are they aware that only 172.16.0.0/12 is reserved for private use and not the whole 172/8 as per RFC1918?
You are copying the bad things of fastweb… We want FTTH connections not RFC violations!
Continue reading “Telecom Italia making use of ARIN / AT&T networks for internal private routing”
Another service being exploited…
this time instead of chargen or the usual dns (UDP 53) the sources of the attack appeared to be running Solaris in.routed service (source port UDP 520)
if you are running an unsecured box please CLOSE THAT FUCKING PORT (IN UDP 520) or at least do some proper rate limiting!
if you are a carrier/ISP that allows spoofed traffic to leave your network: HOPE YOU GET BANKRUPT AND CLOSE YOUR FUCKING DOORS FOR GOOD!
read more for additional details and logs
Continue reading “Solaris in.routed (udp 520) reflected ddos”
http://www.webhostingtalk.com/showthread.php?p=8130717#post8130717
AHAHAHAHAH
EDIT: per una spiegazione più completa:
http://blog.grg-web.eu/2012/05/rfc-ignorate-la-fine-del-mondo-inizia-con-fastweb/
Lately I’m seeing chargen service being abused a lot to execute distributed denial of service attacks.
It’s not just “standard ddos”… it’s a reflected ddos with a massive amplification rate!!!
(Amplification rate can be as high as 512x… that means with that just a 100mbit pipe a malicius attacker could easely accomplish a 10gbit+ ddos!)
What is chargen?
From wikipedia:
In the UDP implementation of the protocol, the server sends a UDP datagram containing a random number (between 0 and 512) of characters every time it receives a datagram from the connecting host.
Apparently there’s absolutely no handshake at all with chargen… only the TCP version (obviously) requires handshake…
How are hosts running chargen (UDP) used as botnets?
To execute the attack people are sending spoofed UDP packets with a forged source IP address to hundreds of hosts running chargen (and there are many of them!).
These hosts just reply to the apparent source of such packet as they are intendend to do… the problem is that they are replying to the forged IP address… that host has never requested something to them!
Is my machine vulnerable?
To test if your machine could be exploited just run:
echo t | nc -u X.X.X.X 19 |
replace X.X.X.X with an IP running chargen… If you got a reply you just found a host that can be used as part of a ddos botnet…
How can I make my machine secure?
disable chargen service:
(please be aware of another weak point of chargen: looks like it can also be used to let machines running chargen attack each-other… guess what happens when you have two chargen sending packets each other with to&from port 19 udp… we got a loop! :D)
if you are running chargen on one of your hosts: CLOSE THAT PORT (IN UDP 19)!
if you are a carrier/ISP that allows spoofed traffic to leave your network: HOPE YOU GET BANKRUPT AND CLOSE YOUR DOORS FOR GOOD!
ktnxbye
read more for additional details and logs