The DDoS-as-a-Service marketplace has expanded to include new distributed denial of service (DDoS) attack tools used to generate a echo attack or DrDoS attack. These take advantage of misconfigured servers & hide the mask the identity of attackers.
1. New DDoS Attack Tools and the DDoS Marketplace
The DDoS-as-a-Service marketplace has expanded to include new distributed denial of service
(DDoS) attack tools. These new tools can discover the IP address of servers that can be used by
attackers to generate a type of DDoS attack called a reflection attack or DrDoS attack. An attacker
can use a scanner tool to make lists of thousands of vulnerable servers, and then load a list into a
DrDoS attack tool to launch attacks or sell the lists to others.
Although the existence of IP address scanner tools is not new, they are now available freely and
publicly. The widespread availability of scanner tools and the demand for lists of servers
specifically vulnerable to reflection attacks is unique to Q3 2013 – indicating a worrisome DDoS
attack trend.
Not surprisingly, the DrDoS attacks facilitated by these scanner tools are on the rise. In these
attacks, the attacker’s target is overwhelmed by traffic generated by common network protocols
on the vulnerable servers, such as DNS, SNMP and CHARGEN.
The use of the CHARGEN reflection attack has enjoyed a recent resurgence. CHARGEN is a legacy
protocol that was believed to be obsolete. Unfortunately, many servers running older Windows
operating systems still have the protocol enabled, which is unnecessary – and dangerous.
How a CHARGEN attack works
When CHARGEN is used in a DrDoS attack, the attacker sends a spoofed CHARGEN request to a
server, directing the output to the attacker’s target. The spoofing makes the vulnerable server,
which is called a victim (to distinguish it from the attacker’s ultimate target), respond not to the
attacker but to the target. The CHARGEN protocol sends lots of characters to the target. That’s
what CHARGEN was designed to do – generate characters for testing purposes. By exploiting
multiple servers with CHARGEN at once, the incoming flow of characters overwhelms the target.
Prolexic has mitigated DrDoS attacks involving servers participating in CHARGEN protocol attacks
from Africa, Asia, Australia, Canada, Europe, Latin America and the U.S. – every continent except
Antarctica!
What if your server were used by an attacker in a CHARGEN attack?
If your server were used in a CHARGEN attack, your server would send unwanted traffic to the
attacker’s target, probably without your knowledge. When combined with the output of other
vulnerable servers, the attack would likely result in an outage from denial of service at the target.
In addition, your server would perform poorly. Rather than spending its time processing your
requests, it would be busy sending unwanted characters to the attacker’s target.
1
2. How to disable CHARGEN on a Microsoft Windows server
If you have a server running and older version of a Windows server operating system – especially
NT through Windows 2008 R2 – it is likely vulnerable to becoming an unwilling participant in a
DrDoS attack. The following shows how to turn off CHARGEN on a Windows 2000 server:
Step 1
• Open the server configuration panel
• Select the Advanced drop
down menu
• Select Optional
Components
Step 2
• Select Networking Services
• Click Details
Step 3
• Uncheck Simple TCP/IP
Services
• Click OK
Steps 4-6
• Click Next, Next, and Finish.
Figure 1: Uncheck Simple TCP/IP Services in Step 3. This action
removes CHARGEN, Daytime, Discard, Echo and Quote of the Day.
Once you complete these steps, the CHARGEN protocol will be closed and will not respond to
requests. As a result, attackers can’t use your server to generate CHARGEN attack traffic.
Learn more in the Q3 2013 Global DDoS Attack Report
The Q3 2013 Global DDoS Attack Report includes:
• Why reflection attacks are increasingly popular
• Parts of a CHARGEN attack, step by step
• Details of specific CHARGEN attacks stopped by Prolexic
• Players in the reflection attack (DrDoS) marketplace
• How to turn off CHARGEN to protect your servers from being used in attacks
The more you know about DDoS attacks, the better you can protect your network against
cybercrime. Download the free report at www.prolexic.com/attackreports.
About Prolexic
Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and
mitigation services. Learn more at www.prolexic.com.
2