Solved

How to block a Chargen DrDoS attack?

Posted on 2014-03-27
4
1,354 Views
Last Modified: 2014-03-28
Our organization is getting hit by Chargen DrDoS attacks.  We tried blocking port 19, but that did not help.  We have an ASA 5510, what do we need to do to stop this?
0
Comment
Question by:bpl5000
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 250 total points
ID: 39959516
You will likely want to start with your ISP and ask them to help. It is unlikely you will be able to block this yourself, even so the attacker can easily switch methods to thwart your attempts.

Next you can contact law enforcement such as the FBI who have been known to assist with this sort of thing.

Finally, you can attempt to block the traffic using a scripted approach, but honestly it doesn't matter if you do or not, the main point is to saturate the pipe you use, not get past your firewall.
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 250 total points
ID: 39959659
In support of  0xSaPx0, this type of attack is used to exploit vulnerable services outside of your control to saturate your available bandwidth by way of amplification.  See the attachment for more detail.

Another option to look into is Anycast addressing, which will effectively dilute the DDoS attack across multiple data centers geographically.

A very arduous process, you could trace the owners of each vulnerable service, using the attacking IP address, and provide them with mitigation advisories, such as http://www.cert.org/advisories/CA-1996-01.html, in hopes they will patch/close their systems.
An-Analysis-of-DrDoS-SNMP-NTP-CH.pdf
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39961365
I have read that you can disable the chargen service, but I don't know how.  I read this on a website...

Disable Echo, Chargen and discard
     no service tcp-small-servers
     no service udp-small-servers

But these commands do not work on our ASA.  Does anyone know if there is a way to disable the Chargen service on an ASA 5510?
0
 
LVL 5

Author Closing Comment

by:bpl5000
ID: 39962208
We have contacted our ISP.  We were also able to track down who launched the attack and unfortunately a 17 year old boy will be getting a visit from law enforcement.  He probably thought it was a cute joke to play, but now it will bring him trouble.  Oh well, maybe it will deter him from getting into even more trouble in the future.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now