13 SPOOFED.NET.ECHO > 172.31.146.49.CHARGEN
08:53:13 spoofed.net.echo
> 172.31.146.49.chargen: udp
echoport 7: will echo chargenport 19: will transmit a back any data it stream of random characters when it receives datareceivesVulnerability scans to locate echo, chargen, daytime ports are highly recommended.
IDIC - SANS GIAC LevelTwo
©2000, 200132
This is a classic feedback loop. This attack is very asymmetric; one packet is enough to start the oscillation. Obviously the attacker is sitting outside this loop to initiate it and then sends in a single packet with a spoofed source address. Unlike smurf style attacks, this is somewhat self sustaining. Daytime to echo can also be used. Blocking these ports from the outside is recommended, but as the slide says, it is also a good idea to scan your internal network for these ports and shut them off. You may want to check your Cisco routers; for years they shipped with the “small services” on by default.