Solved

How to block a Chargen DrDoS attack?

Posted on 2014-03-27
4
1,335 Views
Last Modified: 2014-03-28
Our organization is getting hit by Chargen DrDoS attacks.  We tried blocking port 19, but that did not help.  We have an ASA 5510, what do we need to do to stop this?
0
Comment
Question by:bpl5000
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 250 total points
Comment Utility
You will likely want to start with your ISP and ask them to help. It is unlikely you will be able to block this yourself, even so the attacker can easily switch methods to thwart your attempts.

Next you can contact law enforcement such as the FBI who have been known to assist with this sort of thing.

Finally, you can attempt to block the traffic using a scripted approach, but honestly it doesn't matter if you do or not, the main point is to saturate the pipe you use, not get past your firewall.
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 250 total points
Comment Utility
In support of  0xSaPx0, this type of attack is used to exploit vulnerable services outside of your control to saturate your available bandwidth by way of amplification.  See the attachment for more detail.

Another option to look into is Anycast addressing, which will effectively dilute the DDoS attack across multiple data centers geographically.

A very arduous process, you could trace the owners of each vulnerable service, using the attacking IP address, and provide them with mitigation advisories, such as http://www.cert.org/advisories/CA-1996-01.html, in hopes they will patch/close their systems.
An-Analysis-of-DrDoS-SNMP-NTP-CH.pdf
0
 
LVL 5

Author Comment

by:bpl5000
Comment Utility
I have read that you can disable the chargen service, but I don't know how.  I read this on a website...

Disable Echo, Chargen and discard
     no service tcp-small-servers
     no service udp-small-servers

But these commands do not work on our ASA.  Does anyone know if there is a way to disable the Chargen service on an ASA 5510?
0
 
LVL 5

Author Closing Comment

by:bpl5000
Comment Utility
We have contacted our ISP.  We were also able to track down who launched the attack and unfortunately a 17 year old boy will be getting a visit from law enforcement.  He probably thought it was a cute joke to play, but now it will bring him trouble.  Oh well, maybe it will deter him from getting into even more trouble in the future.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now