Title: CHARGEN-Based DrDoS Attacks: A Growing Marketplace and DDoS Threat
1CHARGEN-Based DrDoS Attacks A Growing
Marketplace and DDoS Threat
2New DDoS tools are widely available
- The DDoS-as-a-service marketplace has expanded to
include new tools - IP address scanning tools identify vulnerable
servers - In the past, scanner tools were only available in
underground forums - Now available publicly
- Some are free
- Most are simple to use
- Also available Ready-made lists from completed
scans - Will your IP addresses be on an attackers list?
www.prolexic.com
3What are these scanner tools looking for?
- Servers vulnerable to reflection and
amplification attacks - Specifically, access to specific network
protocols - CHARGEN
- DNS
- SNMP
- NTP
- Often the protocols are no longer needed but have
not been turned off
www.prolexic.com
4Old protocol with a new use CHARGEN
- CHARGEN stands for character generation
- Attacker sends a spoofed CHARGEN request to a
server, directing the output to the attackers
target - The CHARGEN protocol responds, as designed, by
sending lots of characters to the target - By exploiting multiple servers with CHARGEN at
once, the incoming flow of characters overwhelms
the target - What if your server were used by an attacker?
- Your server would send unwanted traffic to the
target - Outage from denial of service at the target
- Poor performance on your server (its busy
sending characters)
5Reflection attacks use your servers for profit
- CHARGEN attacks use servers from Africa, Asia,
Australia, Canada, Europe, Latin America and the
U.S. - Flourishing underground commerce
- Attacker makes an IP address list from a scanner
(or buys a list) and loads it into a DDoS attack
tool - Providers offer stressor tools that use
reflection attacks in DDoS-as-a-service - Malicious actors pay DDoS tools developers
subscription fees - This economy depends on vulnerable servers
6Protect your servers How to turn off CHARGEN
- Older Microsoft Windows Servers are most common
source of CHARGEN attack traffic - Example How to turn off CHARGEN on Windows
Server 2000 - Step 1
- Open the server configuration panel
- Select the Advanced drop down menu
- Select Optional Components
- Step 2
- Select Networking Services
- Click Details
7Protect your servers Turn off CHARGEN, continued
This step removes the following services
CHARGEN, Daytime, Discard, Echo and Quote of the
Day
- Step 3
- Uncheck Simple TCP/IP Services
- Click OK
8Protect your servers Turn off CHARGEN, continued
- Steps 4-6
- Click Next, Next, and Finish
- Once you complete these steps, the CHARGEN
protocol will be closed and will not respond to
requests - As a result, attackers cant use your server to
generate CHARGEN attack traffic
9Learn more
- Download the Q3 2013 Global DDoS Attack Report at
www.prolexic.com/attackreports - The attack report includes
- Why reflection attacks are increasingly popular
- Parts of a CHARGEN attack, step by step
- Details of real attacks stopped by Prolexic
- Players in the reflection attack (DrDoS)
marketplace - How to turn off CHARGEN to protect your servers
from being used in attacks
10About Prolexic
- Prolexic Technologies is the worlds largest and
most trusted provider of DDoS protection and
mitigation services. - Prolexic has successfully stopped DDoS attacks
for more than a decade. - We can stop even the largest attacks that exceed
the capabilities of other DDoS mitigation service
providers.