CHARGEN-Based DrDoS Attacks: A Growing Marketplace and DDoS Threat

1
CHARGEN-Based DrDoS Attacks A Growing
Marketplace and DDoS Threat
2
New DDoS tools are widely available

• The DDoS-as-a-service marketplace has expanded to
  include new tools
• IP address scanning tools identify vulnerable
  servers
• In the past, scanner tools were only available in
  underground forums
• Now available publicly
• Some are free
• Most are simple to use
• Also available Ready-made lists from completed
  scans
• Will your IP addresses be on an attackers list?

www.prolexic.com
3
What are these scanner tools looking for?

• Servers vulnerable to reflection and
  amplification attacks
• Specifically, access to specific network
  protocols
• CHARGEN
• DNS
• SNMP
• NTP
• Often the protocols are no longer needed but have
  not been turned off

www.prolexic.com
4
Old protocol with a new use CHARGEN

• CHARGEN stands for character generation
• Attacker sends a spoofed CHARGEN request to a
  server, directing the output to the attackers
  target
• The CHARGEN protocol responds, as designed, by
  sending lots of characters to the target
• By exploiting multiple servers with CHARGEN at
  once, the incoming flow of characters overwhelms
  the target
• What if your server were used by an attacker?
• Your server would send unwanted traffic to the
  target
• Outage from denial of service at the target
• Poor performance on your server (its busy
  sending characters)

5
Reflection attacks use your servers for profit

• CHARGEN attacks use servers from Africa, Asia,
  Australia, Canada, Europe, Latin America and the
  U.S.
• Flourishing underground commerce
• Attacker makes an IP address list from a scanner
  (or buys a list) and loads it into a DDoS attack
  tool
• Providers offer stressor tools that use
  reflection attacks in DDoS-as-a-service
• Malicious actors pay DDoS tools developers
  subscription fees
• This economy depends on vulnerable servers

6
Protect your servers How to turn off CHARGEN

• Older Microsoft Windows Servers are most common
  source of CHARGEN attack traffic
• Example How to turn off CHARGEN on Windows
  Server 2000
• Step 1
• Open the server configuration panel
• Select the Advanced drop down menu
• Select Optional Components
• Step 2
• Select Networking Services
• Click Details

7
Protect your servers Turn off CHARGEN, continued
This step removes the following services
CHARGEN, Daytime, Discard, Echo and Quote of the
Day

• Step 3
• Uncheck Simple TCP/IP Services
• Click OK

8
Protect your servers Turn off CHARGEN, continued

• Steps 4-6
• Click Next, Next, and Finish
• Once you complete these steps, the CHARGEN
  protocol will be closed and will not respond to
  requests
• As a result, attackers cant use your server to
  generate CHARGEN attack traffic

9
Learn more

• Download the Q3 2013 Global DDoS Attack Report at
  www.prolexic.com/attackreports
• The attack report includes
• Why reflection attacks are increasingly popular
• Parts of a CHARGEN attack, step by step
• Details of real attacks stopped by Prolexic
• Players in the reflection attack (DrDoS)
  marketplace
• How to turn off CHARGEN to protect your servers
  from being used in attacks

10
About Prolexic

• Prolexic Technologies is the worlds largest and
  most trusted provider of DDoS protection and
  mitigation services.
• Prolexic has successfully stopped DDoS attacks
  for more than a decade.
• We can stop even the largest attacks that exceed
  the capabilities of other DDoS mitigation service
  providers.