This ppt examines developments in the DDoS tools & services marketplace, specifically the vicious use of the CHARGEN protocol. Plus, get six simple steps to turn off CHARGEN & stop your servers from being recruited to participate in these attacks.

1. CHARGEN-Based DrDoS Attacks:
A Growing Marketplace and DDoS Threat
www.prolexic.com

2. New DDoS tools are widely available
• The DDoS-as-a-service marketplace has expanded
to include new tools
– IP address scanning tools identify vulnerable servers
– In the past, scanner tools were only available in
underground forums
– Now available publicly
– Some are free
– Most are simple to use
– Also available: Ready-made lists from completed scans
• Will your IP addresses be on an attacker’s list?
2
www.prolexic.com

3. What are these scanner tools looking for?
• Servers vulnerable to reflection and amplification
attacks
• Specifically, access to specific network protocols:
–
–
–
–
CHARGEN
DNS
SNMP
NTP
• Often the protocols are no longer needed but have
not been turned off
3
www.prolexic.com

4. Old protocol with a new use: CHARGEN
• CHARGEN stands for character generation
• Attacker sends a spoofed CHARGEN request to a
server, directing the output to the attacker’s target
• The CHARGEN protocol responds, as designed, by
sending lots of characters to the target
• By exploiting multiple servers with CHARGEN at once,
the incoming flow of characters overwhelms the target
• What if your server were used by an attacker?
• Your server would send unwanted traffic to the target
– Outage from denial of service at the target
– Poor performance on your server (it’s busy sending
characters)
4
www.prolexic.com

5. Reflection attacks use your servers for profit
• CHARGEN attacks use servers from Africa, Asia,
Australia, Canada, Europe, Latin America and the
U.S.
• Flourishing underground commerce:
– Attacker makes an IP address list from a scanner (or
buys a list) and loads it into a DDoS attack tool
– Providers offer stressor tools that use reflection attacks
in DDoS-as-a-service
– Malicious actors pay DDoS tools developers
subscription fees
• This economy depends on vulnerable servers
5
www.prolexic.com

6. Protect your servers: How to turn off
CHARGEN
• Older Microsoft Windows Servers are most
common source of CHARGEN attack traffic
• Example: How to turn off CHARGEN on Windows
Server 2000
– Step 1:
• Open the server configuration panel
• Select the Advanced drop down menu
• Select Optional Components
– Step 2:
• Select Networking Services
• Click Details
6
www.prolexic.com

7. Protect your servers: Turn off CHARGEN,
continued
This step removes
the following
services: CHARGEN,
Daytime, Discard,
Echo and Quote of
the Day
– Step 3:
• Uncheck Simple TCP/IP Services
• Click OK
7
www.prolexic.com

8. Protect your servers: Turn off CHARGEN,
continued
• Steps 4-6:
– Click Next, Next, and Finish
• Once you complete these steps, the CHARGEN
protocol will be closed and will not respond to
requests
• As a result, attackers can’t use your server to
generate CHARGEN attack traffic
8
www.prolexic.com

9. Learn more
• Download the Q3 2013 Global DDoS Attack Report
at www.prolexic.com/attackreports
• The attack report includes:
–
–
–
–
–
9
Why reflection attacks are increasingly popular
Parts of a CHARGEN attack, step by step
Details of real attacks stopped by Prolexic
Players in the reflection attack (DrDoS) marketplace
How to turn off CHARGEN to protect your servers from
being used in attacks
www.prolexic.com

10. About Prolexic
• Prolexic Technologies is the world’s largest and
most trusted provider of DDoS protection and
mitigation services.
• Prolexic has successfully stopped DDoS attacks for
more than a decade.
• We can stop even the largest attacks that exceed
the capabilities of other DDoS mitigation service
providers.
10
www.prolexic.com