29 Apr
2014
29 Apr
'14
6:34 p.m.
You should check to make sure that you have the 'chargen' service
disabled on your hosts, and block it in your routers if you can.
I've already contacted the people whose system was involved in this attack.
- Brian
----- Forwarded message -----
Subject: Exploitable chargen service used for an attack: 44.x.x.x.
It appears that a public "chargen" service on your network, running
on IP address 44.x.x.x, participated in a large-scale attack against a
customer of ours today, generating large UDP responses to spoofed probes
that claimed to be from the attack target.
chargen is an old testing service that generates large quantities of
traffic with only a small request required. It is commonly enabled by
default on old printers and other connected appliances, but it has no
useful purpose over the open internet.
Please block UDP port 19 (inbound and outbound) at your network
edge, as this should stop these chargen attacks without blocking
legitimate traffic. If the endpoint device that generated this traffic
is configurable, please further investigate whether it is running a
chargen service (and disable it, if so) -- commonly exploited devices
include Cisco hardware that has "udp small servers" mistakenly enabled,
old printers, old UNIX boxes with "chargen" running under inetd, and
Windows boxes with the "Simple TCP/IP services" package installed. Also,
it is worth checking if it is a machine that has been compromised, as
some malware directly generates port 19 traffic, simulating chargen,
and in this way masks its presence.
If you are an ISP, please also look at your network configuration and
make sure that you do not allow spoofed traffic (that pretends to be from
external IP addresses) to leave the network. Hosts that allow spoofed
traffic make possible this type of attack.
----- End forwarded message -----
29 Apr
29 Apr
9:30 p.m.
Warning to 'echo', 'discard' and 'daytime' services too
since as per the 'chargen' they can otherwise be
used for some nasty denial-of-service attacks.
gus i0ojj
On 04/29/2014 07:34 PM, Brian Kantor wrote:
(Please trim inclusions from previous messages)
_______________________________________________
You should check to make sure that you have the 'chargen' service
disabled on your hosts, and block it in your routers if you can.
I've already contacted the people whose system was involved in this attack.
- Brian
----- Forwarded message -----
Subject: Exploitable chargen service used for an attack: 44.x.x.x.
It appears that a public "chargen" service on your network, running
on IP address 44.x.x.x, participated in a large-scale attack against a
customer of ours today, generating large UDP responses to spoofed probes
that claimed to be from the attack target.
chargen is an old testing service that generates large quantities of
traffic with only a small request required. It is commonly enabled by
default on old printers and other connected appliances, but it has no
useful purpose over the open internet.
Please block UDP port 19 (inbound and outbound) at your network
edge, as this should stop these chargen attacks without blocking
legitimate traffic. If the endpoint device that generated this traffic
is configurable, please further investigate whether it is running a
chargen service (and disable it, if so) -- commonly exploited devices
include Cisco hardware that has "udp small servers" mistakenly enabled,
old printers, old UNIX boxes with "chargen" running under inetd, and
Windows boxes with the "Simple TCP/IP services" package installed. Also,
it is worth checking if it is a machine that has been compromised, as
some malware directly generates port 19 traffic, simulating chargen,
and in this way masks its presence.
If you are an ISP, please also look at your network configuration and
make sure that you do not allow spoofed traffic (that pretends to be from
external IP addresses) to leave the network. Hosts that allow spoofed
traffic make possible this type of attack.
----- End forwarded message -----
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
3872
days inactive
3872
days old
1 comments
2 participants
participants (2)
-
Brian Kantor -
Gustavo Ponza