Solved

How to block a Chargen DrDoS attack?

Posted on 2014-03-27
4
1,528 Views
Last Modified: 2014-03-28
Our organization is getting hit by Chargen DrDoS attacks.  We tried blocking port 19, but that did not help.  We have an ASA 5510, what do we need to do to stop this?
0
Comment
Question by:bpl5000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 250 total points
ID: 39959516
You will likely want to start with your ISP and ask them to help. It is unlikely you will be able to block this yourself, even so the attacker can easily switch methods to thwart your attempts.

Next you can contact law enforcement such as the FBI who have been known to assist with this sort of thing.

Finally, you can attempt to block the traffic using a scripted approach, but honestly it doesn't matter if you do or not, the main point is to saturate the pipe you use, not get past your firewall.
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 250 total points
ID: 39959659
In support of  0xSaPx0, this type of attack is used to exploit vulnerable services outside of your control to saturate your available bandwidth by way of amplification.  See the attachment for more detail.

Another option to look into is Anycast addressing, which will effectively dilute the DDoS attack across multiple data centers geographically.

A very arduous process, you could trace the owners of each vulnerable service, using the attacking IP address, and provide them with mitigation advisories, such as http://www.cert.org/advisories/CA-1996-01.html, in hopes they will patch/close their systems.
An-Analysis-of-DrDoS-SNMP-NTP-CH.pdf
0
 
LVL 5

Author Comment

by:bpl5000
ID: 39961365
I have read that you can disable the chargen service, but I don't know how.  I read this on a website...

Disable Echo, Chargen and discard
     no service tcp-small-servers
     no service udp-small-servers

But these commands do not work on our ASA.  Does anyone know if there is a way to disable the Chargen service on an ASA 5510?
0
 
LVL 5

Author Closing Comment

by:bpl5000
ID: 39962208
We have contacted our ISP.  We were also able to track down who launched the attack and unfortunately a 17 year old boy will be getting a visit from law enforcement.  He probably thought it was a cute joke to play, but now it will bring him trouble.  Oh well, maybe it will deter him from getting into even more trouble in the future.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question