Original issue date: February 8, 1996<BR>
Last revised: September 24, 1997<BR>
Updated copyright statement

<P>A complete revision history is at the end of this file.

<BR>The CERT Coordination Center has received reports of programs that
launch denial-of-service attacks by creating a "UDP packet storm" either
on a system or between two systems. An attack on one host causes that host
to perform poorly. An attack between two hnosts can cause extreme network
congestion in addition to adversely affecting host performance.

<P>The CERT staff recommends disabling unneeded UDP services on each host,
in particular the chargen and echo services, and filtering these services
at the firewall or Internet gateway.

<P>Because the UDP port denial-of-service attacks typically involve IP
spoofing, we encourage you to follow the recommendations in advisory <A HREF="http://www.cert.org/advisories/CA-96.21.tcp_syn_flooding.html">CA-96.21</A>.

<P>We will update this advisory as we receive additional information. Please
check advisory files regularly for updates that relate to your site

<P><HR>
<H2>I. Description</H2>
When a connection is established between two UDP services, each of which
produces output, these two services can produce a very high number of packets
that can lead to a denial of service on the machine(s) where the services
are offered. Anyone with network connectivity can launch an attack; no
account access is needed.

<P>For example, by connecting a host's chargen service to the echo service
on the same or another machine, all affected machines may be effectively
taken out of service because of the excessively high number of packets
produced. In addition, if two or more hosts are so connected, the intervening
network may also become congested and deny service to all hosts whose traffic
traverses that network.
<H2>II. Impact</H2>
Anyone with network connectivity can cause a denial of service. This attack
does not enable them to gain additional access.
<H2>III. Solution</H2>
We recommend taking all the steps described below.
<H4>1. Disable and filter chargen and echo services.</H4>
This attack is most readily exploited using the chargen or echo services,
neither of which is generally needed as far as we are aware. We recommend
that you disable both services on the host and filter them at the firewall
or Internet gateway.

<P>To disable these services on a host, it is necessary to edit the inetd
configuration file and cause inetd to begin using the new configuration.
Exactly how to do this is system dependent so you should check your vendor's
documentation for <I>inetd(8)</I>; but on many UNIX systems the steps will
be as follows:
<OL>
<LI>Edit the inetd configuration file (e.g. /etc/inetd.conf).</LI>

<LI>Comment out the echo, chargen, and other UDP services not used.</LI>

<LI>Cause the inetd process to reread the configuration file (e.g., by sending
it a HUP signal).</LI>
</OL>

<H4>2. Disable and filter other unused UDP services.</H4>
To protect against similar attacks against other services, we recommend:

<P>- disabling all unused UDP services on hosts and
<BR>- blocking at firewalls all UDP ports less than 900 with the exception
of specific services you require, such as DNS (port 53).
<H4>3. If you must provide external access to some UDP services, consider using a proxy mechanism to protect that service from misuse.</H4>
Techniques to do this are discussed in Chapter 8, "Configuring Internet
Services," in _Building Internet Firewalls_ by Chapman and Zwicky (see
Section IV below).
<H4>4. Monitor your network.</H4>
If you do provide external UDP services, we recommend monitoring your network
to learn which systems are using these services and to monitor for signs
of misuse. Tools for doing so include Argus, tcpdump, and netlog.

<P>Argus is available from

<P><A HREF="ftp://ftp.net.cmu.edu/pub/argus-1.5/">ftp://ftp.net.cmu.edu/pub/argus-1.5/</A>

<BR>MD5 (argus-1.5.tar.gz) = 9c7052fb1742f9f6232a890267c03f3c

<P>Note that Argus requires the TCP wrappers to install:

<P><A HREF="ftp://ftp.cert.org/pub/tools/tcp_wrappers/">ftp://ftp.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.2.tar.Z</A>
<BR>MD5 (tcp_wrappers_7.2.tar.Z) = 883d00cbd2dedd9bfc783b7065740e74

<P>tcpdump is available from

<P><A HREF="ftp://ftp.ee.lbl.gov/tcpdump-3.0.2.tar.Z">ftp://ftp.ee.lbl.gov/tcpdump-3.0.2.tar.Z</A>
<BR>MD5 (tcpdump-3.0.2.tar.Z) = c757608d5823aa68e4061ebd4753e591

<P>Note that tcpdump requires libpcap, available at

<P><A HREF="ftp://ftp.ee.lbl.gov/libpcap-0.0.6.tar.Z">ftp://ftp.ee.lbl.gov/libpcap-0.0.6.tar.Z</A>
<BR>MD5 (libpcap-0.0.6.tar.Z) = cda0980f786932a7e2eebfb2641aa7a0

<P>netlog is available from

<P><A HREF="ftp://net.tamu.edu/pub/security/TAMU/netlog-1.2.tar.gz">ftp://net.tamu.edu/pub/security/TAMU/netlog-1.2.tar.gz</A>
<BR>MD5 (netlog-1.2.tar.gz) = 1dd62e7e96192456e8c75047c38e994b
<H4>5. Take steps against IP spoofing.</H4>
Because IP spoofing is typically involved in UDP port denial-of-service
attacks, we encourage you to follow the guidance in advisory CA-95:01,
available from

<P><A HREF="http://www.cert.org/advisories/CA-95.01.IP.spoofing.attacks.and.hijacked.terminal.connections.html">www.cert.org/advisories/CA-95.01.IP.spoofing.html</A>
<H2>IV. Sources of further information about packet filtering</H2>
For a general packet-filtering recommendations, see

<P><A HREF="ftp://ftp.cert.org/pub/tech_tips/packet_filtering">ftp://ftp.cert.org/pub/tech_tips/packet_filtering</A>

<P>For in-depth discussions of how to configure your firewall, see

<P><I>Firewalls and Internet Security: Repelling the Wily Hacker</I>
<BR>William R. Cheswick and Steven M. Bellovin
<BR>Addison-Wesley Publishing Company, 1994
<BR>ISBN 0-201-63357

<P><I>Building Internet Firewalls</I>
<BR>Brent Chapman and Elizabeth D. Zwicky
<BR>O'Reilly &amp; Associates, Inc., 1995
<BR>ISBN 1-56592-124-0

<P><HR>

<P>The CERT Coordination Center staff thanks Peter D. Skopp of Columbia
University for reporting the vulnerability and Steve Bellovin of AT&amp;T
Bell Labs for his support in responding to this problem.

<P><HR>

<H2>UPDATES</H2>
<H4>Cisco</H4>
Cisco Alert Summary:

<P><A HREF="http://www.cisco.com/warp/public/146/917_security.html">http://www.cisco.com/warp/public/146/917_security.html</A>

<P>Cisco Security Guide<A HREF="http://www.cisco.com/univercd/data/doc/cintrnet/ics/icssecur.htm"></A>

<P><A HREF="http://www.cisco.com/univercd/data/doc/cintrnet/ics/icssecur.htm">http://www.cisco.com/univercd/data/doc/cintrnet/ics/icssecur.htm</A>

<H4>Silicon Graphics Inc.</H4>
SGI acknowledges CERT Advisory CA-96.01 and is currently investigating.
No further information is available at this time.

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1996, 1997 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
Sep. 24, 1997 Updated copyright statement
Feb. 14, 1997 Introduction - updated the IP spoofing reference to CA-96.21.
              Updates section - added pointers to CISCO documents. 
Aug. 30, 1996 Information previously in the README was inserted into
              the advisory.
Feb. 23, 1996 Updates section - added information from Silicon Graphics, Inc. 
Feb. 21, 1996 Solution, Sec. III.4 - added new URL for Argus.
</PRE>