Internet FAQs

What is a Denial of Service Amplification Attack and how do I properly secure my network equipment against one?


Recently, there has been an increase in Distributed Denial of Service (DDoS) Amplification attacks on the Internet, some of which involve our subscribers. If you have received a notification regarding suspicious traffic from your TWC Internet connection, please review the following information and take appropriate action to correct the problem and properly secure your network equipment.

Types of services involved in the majority of these attacks:

• DNS – Domain Name System (port 53)
• NTP – Network Time Protocol (port 123)
• Chargen – Character Generator Protocol (port 19)

In each of these types of amplification attacks, the attacker uses a forged IP to request information from one of these services. This method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic or it responds so slowly as to be rendered essentially unavailable. If the attack against the victim is large enough, it will take down their Internet services.

If you know you are running one or more of these services you should secure them immediately or disable them. If you do not recognize these services, it may be that changes have been made to your router at some point. Resetting the router to original factory settings and ensuring that you have a firewall may be an easy first course of action.

 

DNS Based Attacks

Operating Systems Affected: All Systems

How to secure your DNS:

• Restrict the DNS resolvers to only allow queries from inside your network.
• Configure the DNS to only reply to queries from addresses that are inside your network.
• Use firewall/packet filter rules to restrict access to port 53.

Team Cymru has a guide here: http://www.team-cymru.org/Services/Resolvers/instructions.html

 

NTP Based Attacks

Operating Systems Affected: All Systems

How to secure your NTP:

• Upgrade to NTP version 4.2.7p26 or above
• Modify the configuration to deny monlist requests

Many of the systems involved appear to be embedded devices and not just UNIX servers running the NTP daemon. Remediation advice for the most common platforms can be found at:

http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

 

Chargen Based Attacks

Operating Systems Affected: All Systems

How to secure Chargen:

• Disable the service

Details on how to disable the service can be found at:

https://kb.iweb.com/entries/51154726-Guide-to-Chargen-Amplification-Issues

 

Additional Resources

http://abusereports.gameservers.com/

Test for Vulnerable Ports:

https://www.grc.com/shieldsup
http://www.speedguide.net/ports_common.php

 

What else can I do?

We recommend that you visit www.twcc.com/security/bothelp and follow the steps to ensure your machine is not infected with malware and is adequately protected.

If you have questions or concerns about this process or this notification, please call us at 1-855-222-7342.