Re: [44net] chargen service - 44net

29 Apr 2014


      Brian.    Can u tell me  how. Been having some kind of issues here. Also think my router it sick. Have a new one on way.  Buffalo wzr-600dhp running dd-wrt latest .. Non beta..
73 jerry
On Apr 29, 2014 1:34 PM, Brian Kantor Brian@UCSD.Edu wrote:
...
(Please trim inclusions from previous messages) 
_______________________________________________ 
You should check to make sure that you have the 'chargen' service 
disabled on your hosts, and block it in your routers if you can.
I've already contacted the people whose system was involved in this attack.

Brian

----- Forwarded message -----
Subject: Exploitable chargen service used for an attack: 44.x.x.x.
It appears that a public "chargen" service on your network, running 
on IP address 44.x.x.x, participated in a large-scale attack against a 
customer of ours today, generating large UDP responses to spoofed probes 
that claimed to be from the attack target.
chargen is an old testing service that generates large quantities of 
traffic with only a small request required. It is commonly enabled by 
default on old printers and other connected appliances, but it has no 
useful purpose over the open internet.
Please block UDP port 19 (inbound and outbound) at your network 
edge, as this should stop these chargen attacks without blocking 
legitimate traffic. If the endpoint device that generated this traffic 
is configurable, please further investigate whether it is running a 
chargen service (and disable it, if so) -- commonly exploited devices 
include Cisco hardware that has "udp small servers" mistakenly enabled, 
old printers, old UNIX boxes with "chargen" running under inetd, and 
Windows boxes with the "Simple TCP/IP services" package installed. Also, 
it is worth checking if it is a machine that has been compromised, as 
some malware directly generates port 19 traffic, simulating chargen, 
and in this way masks its presence.
If you are an ISP, please also look at your network configuration and 
make sure that you do not allow spoofed traffic (that pretends to be from 
external IP addresses) to leave the network. Hosts that allow spoofed 
traffic make possible this type of attack.
----- End forwarded message -----

44Net mailing list 
44Net@hamradio.ucsd.edu 
http://hamradio.ucsd.edu/mailman/listinfo/44net