Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

New DDoS Attack Tools and the DDoS Marketplace


Published on

The DDoS-as-a-Service marketplace has expanded to include new distributed denial of service (DDoS) attack tools used to generate a echo attack or DrDoS attack. These take advantage of misconfigured servers & hide the mask the identity of attackers.

Published in: Business
  • Be the first to comment

New DDoS Attack Tools and the DDoS Marketplace

  1. 1. New DDoS Attack Tools and the DDoS Marketplace The DDoS-as-a-Service marketplace has expanded to include new distributed denial of service (DDoS) attack tools. These new tools can discover the IP address of servers that can be used by attackers to generate a type of DDoS attack called a reflection attack or DrDoS attack. An attacker can use a scanner tool to make lists of thousands of vulnerable servers, and then load a list into a DrDoS attack tool to launch attacks or sell the lists to others. Although the existence of IP address scanner tools is not new, they are now available freely and publicly. The widespread availability of scanner tools and the demand for lists of servers specifically vulnerable to reflection attacks is unique to Q3 2013 – indicating a worrisome DDoS attack trend. Not surprisingly, the DrDoS attacks facilitated by these scanner tools are on the rise. In these attacks, the attacker’s target is overwhelmed by traffic generated by common network protocols on the vulnerable servers, such as DNS, SNMP and CHARGEN. The use of the CHARGEN reflection attack has enjoyed a recent resurgence. CHARGEN is a legacy protocol that was believed to be obsolete. Unfortunately, many servers running older Windows operating systems still have the protocol enabled, which is unnecessary – and dangerous. How a CHARGEN attack works When CHARGEN is used in a DrDoS attack, the attacker sends a spoofed CHARGEN request to a server, directing the output to the attacker’s target. The spoofing makes the vulnerable server, which is called a victim (to distinguish it from the attacker’s ultimate target), respond not to the attacker but to the target. The CHARGEN protocol sends lots of characters to the target. That’s what CHARGEN was designed to do – generate characters for testing purposes. By exploiting multiple servers with CHARGEN at once, the incoming flow of characters overwhelms the target. Prolexic has mitigated DrDoS attacks involving servers participating in CHARGEN protocol attacks from Africa, Asia, Australia, Canada, Europe, Latin America and the U.S. – every continent except Antarctica! What if your server were used by an attacker in a CHARGEN attack? If your server were used in a CHARGEN attack, your server would send unwanted traffic to the attacker’s target, probably without your knowledge. When combined with the output of other vulnerable servers, the attack would likely result in an outage from denial of service at the target. In addition, your server would perform poorly. Rather than spending its time processing your requests, it would be busy sending unwanted characters to the attacker’s target. 1
  2. 2. How to disable CHARGEN on a Microsoft Windows server If you have a server running and older version of a Windows server operating system – especially NT through Windows 2008 R2 – it is likely vulnerable to becoming an unwilling participant in a DrDoS attack. The following shows how to turn off CHARGEN on a Windows 2000 server: Step 1 • Open the server configuration panel • Select the Advanced drop down menu • Select Optional Components Step 2 • Select Networking Services • Click Details Step 3 • Uncheck Simple TCP/IP Services • Click OK Steps 4-6 • Click Next, Next, and Finish. Figure 1: Uncheck Simple TCP/IP Services in Step 3. This action removes CHARGEN, Daytime, Discard, Echo and Quote of the Day. Once you complete these steps, the CHARGEN protocol will be closed and will not respond to requests. As a result, attackers can’t use your server to generate CHARGEN attack traffic. Learn more in the Q3 2013 Global DDoS Attack Report The Q3 2013 Global DDoS Attack Report includes: • Why reflection attacks are increasingly popular • Parts of a CHARGEN attack, step by step • Details of specific CHARGEN attacks stopped by Prolexic • Players in the reflection attack (DrDoS) marketplace • How to turn off CHARGEN to protect your servers from being used in attacks The more you know about DDoS attacks, the better you can protect your network against cybercrime. Download the free report at About Prolexic Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and mitigation services. Learn more at 2