NTP, SNMP and CHARGEN Rate-limiting

Late last week, Information Systems & Technology (IS&T) installed a rate-limiting policy on the MIT border routers to limit certain types of traffic.

Over the past year, several User Datagram Protocols (UDP) — including NTP (123/udp), SNMP (161/udp), and CHARGEN (19/udp) — have been used to perform distributed denial of service (DDoS) attacks. These attacks exploit the underlying behavior of UDP and asymmetric behavior in the NTP, SNMP, and CHARGEN protocols. In short, an attacker spoofs a small query from his/her target and the vulnerable service responds with a far larger response, amplifying the query volume by up to 200-fold.

While these protocols are extremely useful in network management, this behavior allows attackers to leverage MIT resources to attack third-parties. In extreme cases, as was experienced early last Friday morning, the volume can be large enough to disrupt MITnet connectivity.

As a result of the outage, a rate-limiting policy has been installed on the MIT border routers to limit traffic using the above-mentioned protocols from external addresses.

The PDF linked below provides more detail on UDP amplification/reflection attacks:

Advertisements

About MIT
IT Security Awareness Consultant and Communications Specialist at MIT

Comments are closed.

%d bloggers like this: