New DDoS Attack Tools and the DDoS Marketplace The DDoS-as-a-Service marketplace has expanded to include new distributed denial of service (DDoS) attack tools. These new tools can discover the IP address of servers that can be used by attackers to generate a type of DDoS attack called a reflection attack or DrDoS attack. An attacker can use a scanner tool to make lists of thousands of vulnerable servers, and then load a list into a DrDoS attack tool to launch attacks or sell the lists to others. Although the existence of IP address scanner tools is not new, they are now available freely and publicly. The widespread availability of scanner tools and the demand for lists of servers specifically vulnerable to reflection attacks is unique to Q3 2013 indicating a worrisome DDoS attack trend. Not surprisingly, the DrDoS attacks facilitated by these scanner tools are on the rise. In these attacks, the attackers target is overwhelmed by traffic generated by common network protocols on the vulnerable servers, such as DNS, SNMP and CHARGEN. The use of the CHARGEN reflection attack has enjoyed a recent resurgence. CHARGEN is a legacy protocol that was believed to be obsolete. Unfortunately, many servers running older Windows operating systems still have the protocol enabled, which is unnecessary and dangerous. How a CHARGEN attack works When CHARGEN is used in a DrDoS attack, the attacker sends a spoofed CHARGEN request to a server, directing the output to the attackers target. The spoofing makes the vulnerable server, which is called a victim (to distinguish it from the attackers ultimate target), respond not to the attacker but to the target. The CHARGEN protocol sends lots of characters to the target. Thats what CHARGEN was designed to do generate characters for testing purposes. By exploiting multiple servers with CHARGEN at once, the incoming flow of characters overwhelms the target. Prolexic has mitigated DrDoS attacks involving servers participating in CHARGEN protocol attacks from Africa, Asia, Australia, Canada, Europe, Latin America and the U.S. every continent except Antarctica! What if your server were used by an attacker in a CHARGEN attack? If your server were used in a CHARGEN attack, your server would send unwanted traffic to the attackers target, probably without your knowledge. When combined with the output of other vulnerable servers, the attack would likely result in an outage from denial of service at the target. In addition, your server would perform poorly. Rather than spending its time processing your requests, it would be busy sending unwanted characters to the attackers target.
How to disable CHARGEN on a Microsoft Windows server If you have a server running and older version of a Windows server operating system especially NT through Windows 2008 R2 it is likely vulnerable to becoming an unwilling participant in a DrDoS attack. The following shows how to turn off CHARGEN on a Windows 2000 server: Step 1 Open the server configuration panel Select the Advanced drop down menu Select Optional
Components Step 2 Select Networking Services Click Details Step 3 Uncheck Simple TCP/IP Services Click OK Steps 4-6 Click Next, Next, and Finish. Once you complete these steps, the CHARGEN protocol will be closed and will not respond to requests. As a result, attackers cant use your server to generate CHARGEN attack traffic.
Learn more in the Q3 2013 Global DDoS Attack Report The Q3 2013 Global DDoS Attack Report includes:
Why reflection attacks are increasingly popular Parts of a CHARGEN attack, step by step Details of specific CHARGEN attacks stopped by Prolexic Players in the reflection attack (DrDoS) marketplace How to turn off CHARGEN to protect your servers from being used in attacks The more you know about DDoS attacks, the better you can protect your network against cybercrime. Download the free report at www.prolexic.com/attackreports.
About Prolexic Prolexic Technologies is the worlds largest and most trusted provider of DDoS protection and mitigation services. Learn more at www.prolexic.com.
Figure 1: Uncheck Simple TCP/IP Services in Step 3. This action removes CHARGEN, Daytime, Discard, Echo and Quote of the Day.
New DDoS Attack Tools and the DDoS Marketplace