www.prolexic.com

CHARGEN-Based DrDoS Attacks: A Growing Marketplace and DDoS Threat

New DDoS tools are widely available

• The DDoS-as-a-service marketplace has expanded to include new tools– IP address scanning tools identify vulnerable servers– In the past, scanner tools were only available in

underground forums– Now available publicly– Some are free– Most are simple to use– Also available: Ready-made lists from completed scans

• Will your IP addresses be on an attacker’s list?

www.prolexic.com

www.prolexic.com3

What are these scanner tools looking for?

• Servers vulnerable to reflection and amplification attacks

• Specifically, access to specific network protocols:– CHARGEN– DNS– SNMP– NTP

• Often the protocols are no longer needed but have not been turned off

www.prolexic.com

www.prolexic.com4

Old protocol with a new use: CHARGEN

• CHARGEN stands for character generation• Attacker sends a spoofed CHARGEN request to a server,

directing the output to the attacker’s target• The CHARGEN protocol responds, as designed, by sending lots

of characters to the target• By exploiting multiple servers with CHARGEN at once, the

incoming flow of characters overwhelms the target• What if your server were used by an attacker? • Your server would send unwanted traffic to the target– Outage from denial of service at the target– Poor performance on your server (it’s busy sending characters)

www.prolexic.com5

Reflection attacks use your servers for profit

• CHARGEN attacks use servers from Africa, Asia, Australia, Canada, Europe, Latin America and the U.S.

• Flourishing underground commerce:– Attacker makes an IP address list from a scanner (or buys a

list) and loads it into a DDoS attack tool– Providers offer stressor tools that use reflection attacks in

DDoS-as-a-service– Malicious actors pay DDoS tools developers subscription

fees• This economy depends on vulnerable servers

www.prolexic.com6

Protect your servers: How to turn off CHARGEN

• Older Microsoft Windows Servers are most common source of CHARGEN attack traffic

• Example: How to turn off CHARGEN on Windows Server 2000– Step 1:

• Open the server configuration panel• Select the Advanced drop down menu• Select Optional Components

– Step 2:• Select Networking Services• Click Details

www.prolexic.com7

Protect your servers: Turn off CHARGEN, continued

– Step 3:• Uncheck Simple TCP/IP Services• Click OK

This step removes the following services: CHARGEN, Daytime, Discard, Echo and Quote of the Day

www.prolexic.com8

Protect your servers: Turn off CHARGEN, continued

• Steps 4-6:– Click Next, Next, and Finish

• Once you complete these steps, the CHARGEN protocol will be closed and will not respond to requests

• As a result, attackers can’t use your server to generate CHARGEN attack traffic

www.prolexic.com9

Learn more

• Download the Q3 2013 Global DDoS Attack Report at www.prolexic.com/attackreports

• The attack report includes:– Why reflection attacks are increasingly popular– Parts of a CHARGEN attack, step by step– Details of real attacks stopped by Prolexic– Players in the reflection attack (DrDoS) marketplace– How to turn off CHARGEN to protect your servers from

being used in attacks

www.prolexic.com10

About Prolexic

• Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and mitigation services.

• Prolexic has successfully stopped DDoS attacks for more than a decade.

• We can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers.