Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CHARGEN-Based DrDoS Attacks: A Growing Marketplace and DDoS Threat


Published on

This ppt examines developments in the DDoS tools & services marketplace, specifically the vicious use of the CHARGEN protocol. Plus, get six simple steps to turn off CHARGEN & stop your servers from being recruited to participate in these attacks.

  • Be the first to comment

CHARGEN-Based DrDoS Attacks: A Growing Marketplace and DDoS Threat

  1. 1. CHARGEN-Based DrDoS Attacks: A Growing Marketplace and DDoS Threat
  2. 2. New DDoS tools are widely available • The DDoS-as-a-service marketplace has expanded to include new tools – IP address scanning tools identify vulnerable servers – In the past, scanner tools were only available in underground forums – Now available publicly – Some are free – Most are simple to use – Also available: Ready-made lists from completed scans • Will your IP addresses be on an attacker’s list? 2
  3. 3. What are these scanner tools looking for? • Servers vulnerable to reflection and amplification attacks • Specifically, access to specific network protocols: – – – – CHARGEN DNS SNMP NTP • Often the protocols are no longer needed but have not been turned off 3
  4. 4. Old protocol with a new use: CHARGEN • CHARGEN stands for character generation • Attacker sends a spoofed CHARGEN request to a server, directing the output to the attacker’s target • The CHARGEN protocol responds, as designed, by sending lots of characters to the target • By exploiting multiple servers with CHARGEN at once, the incoming flow of characters overwhelms the target • What if your server were used by an attacker? • Your server would send unwanted traffic to the target – Outage from denial of service at the target – Poor performance on your server (it’s busy sending characters) 4
  5. 5. Reflection attacks use your servers for profit • CHARGEN attacks use servers from Africa, Asia, Australia, Canada, Europe, Latin America and the U.S. • Flourishing underground commerce: – Attacker makes an IP address list from a scanner (or buys a list) and loads it into a DDoS attack tool – Providers offer stressor tools that use reflection attacks in DDoS-as-a-service – Malicious actors pay DDoS tools developers subscription fees • This economy depends on vulnerable servers 5
  6. 6. Protect your servers: How to turn off CHARGEN • Older Microsoft Windows Servers are most common source of CHARGEN attack traffic • Example: How to turn off CHARGEN on Windows Server 2000 – Step 1: • Open the server configuration panel • Select the Advanced drop down menu • Select Optional Components – Step 2: • Select Networking Services • Click Details 6
  7. 7. Protect your servers: Turn off CHARGEN, continued This step removes the following services: CHARGEN, Daytime, Discard, Echo and Quote of the Day – Step 3: • Uncheck Simple TCP/IP Services • Click OK 7
  8. 8. Protect your servers: Turn off CHARGEN, continued • Steps 4-6: – Click Next, Next, and Finish • Once you complete these steps, the CHARGEN protocol will be closed and will not respond to requests • As a result, attackers can’t use your server to generate CHARGEN attack traffic 8
  9. 9. Learn more • Download the Q3 2013 Global DDoS Attack Report at • The attack report includes: – – – – – 9 Why reflection attacks are increasingly popular Parts of a CHARGEN attack, step by step Details of real attacks stopped by Prolexic Players in the reflection attack (DrDoS) marketplace How to turn off CHARGEN to protect your servers from being used in attacks
  10. 10. About Prolexic • Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and mitigation services. • Prolexic has successfully stopped DDoS attacks for more than a decade. • We can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers. 10