Hundreds of thousands of Internet servers sit at risk of being used in a fast-growing technique to reflect and amplify distributed denial of service (DDoS) attacks, despite the fact that a simple server configuration change could eliminate the DDoS threat.
Incidences of DDoS attacks using the character generator CHARGEN protocol rose sharply in the third quarter of 2013, according to data reported in the Q3 2013 Global Attack Report from the Prolexic Security Engineering and Response Team (PLXsert).
Attacks using the CHARGEN protocol, which was noted as vulnerable to these types of attacks as early as 1999, were the fastest-growing type of DDoS attack in Q3 2013, with attackers using vulnerable servers around the world to reflect and amplify data onslaughts at target servers.
The CHARGEN protocol was initially created to enable testing and measurement of servers. Today, it is obsolete, and it should be disabled. Many legacy servers have it turned on by default.
Despite its age, the re-emergence of CHARGEN attacks within the underground DDoS-as-a-Service marketplace suggests the abuse of this internet protocol retains value to malicious actors engaging in distributed reflected denial of service (DrDoS) attacks.
In Q3, Prolexic observed CHARGEN DrDoS attacks against its customers in the gambling and entertainment industries. Prolexic’s experts mitigated these attacks before they affected the availability of the customers’ servers. A subsequent analysis found similar CHARGEN attack patterns in each case.
In the gambling industry attack, most of the reflected traffic originated from Asia, and particularly China. The attack lasted 1.5 hours and reached a peak rate of 2 Gbps.
In the entertainment industry incident, although much of the traffic originated in China CHARGEN servers from all continents except Antarctica were engaged in the attack, which lasted a half-hour and reached a peak rate of 2 Gbps.
Because vulnerable servers used to reflect CHARGEN data may respond with as much as 17 times more data than they receive, attackers find the approach attractive. An attack launched with just one or two servers can overwhelm a standard 1GB virtual private server in a matter of seconds. In addition, the use of the UDP CHARGEN enables spoofing of IP addresses, which provides pseudo-anonymity for attackers.
Meanwhile, hundreds of thousands of CHARGEN servers lie susceptible to use as attack vectors, a situation that can be readily addressed with a simple change to the server configuration. Of 1,000 attack events involving CHARGEN analyzed by PLXsert, more than 99 percent were found to have taken advantage of Windows servers – from Windows NT to Windows 2008 R2.
Step-by-step instructions explain how to disable CHARGEN on a Windows server in a case study on new DDoS techniques, including CHARGEN attacks, available in the Q3 2013 Global Attack Report from Prolexic.
More information is available in the Q3 2013 Global Attack Report.