Solved

How to block a Chargen DrDoS attack?

Posted on 2014-03-27
4
1,442 Views
Last Modified: 2014-03-28
Our organization is getting hit by Chargen DrDoS attacks.  We tried blocking port 19, but that did not help.  We have an ASA 5510, what do we need to do to stop this?
0
Comment
Question by:bpl5000
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 250 total points
ID: 39959516
You will likely want to start with your ISP and ask them to help. It is unlikely you will be able to block this yourself, even so the attacker can easily switch methods to thwart your attempts.

Next you can contact law enforcement such as the FBI who have been known to assist with this sort of thing.

Finally, you can attempt to block the traffic using a scripted approach, but honestly it doesn't matter if you do or not, the main point is to saturate the pipe you use, not get past your firewall.
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 250 total points
ID: 39959659
In support of  0xSaPx0, this type of attack is used to exploit vulnerable services outside of your control to saturate your available bandwidth by way of amplification.  See the attachment for more detail.

Another option to look into is Anycast addressing, which will effectively dilute the DDoS attack across multiple data centers geographically.

A very arduous process, you could trace the owners of each vulnerable service, using the attacking IP address, and provide them with mitigation advisories, such as http://www.cert.org/advisories/CA-1996-01.html, in hopes they will patch/close their systems.
An-Analysis-of-DrDoS-SNMP-NTP-CH.pdf
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39961365
I have read that you can disable the chargen service, but I don't know how.  I read this on a website...

Disable Echo, Chargen and discard
     no service tcp-small-servers
     no service udp-small-servers

But these commands do not work on our ASA.  Does anyone know if there is a way to disable the Chargen service on an ASA 5510?
0
 
LVL 5

Author Closing Comment

by:bpl5000
ID: 39962208
We have contacted our ISP.  We were also able to track down who launched the attack and unfortunately a 17 year old boy will be getting a visit from law enforcement.  He probably thought it was a cute joke to play, but now it will bring him trouble.  Oh well, maybe it will deter him from getting into even more trouble in the future.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question