Internet Accessible QOTD Service

Description

The Quote of the Day (QOTD) service is an internet protocol defined in RFC 865, used to provide a message or quote to the connecting client, that is intended for testing and measurement purposes. The syntax for the message or quote is recommended to be limited to the American Standard Code for Information Interchange (ASCII) printing characters, space, carriage return, and line feed. The QOTD service, which can be accessed by both the Transport Transmission Protocol (TCP) and the User Datagram Protocol (UDP), will, without regard to the input received during the connection process, respond, with a short message, or a quote that has been determined by the server's administrator.

The QOTD service listens on port 17/TCP and port 17/UDP.

Problem

An Internet Accessible QOTD Service can be abused for a Distributed Denial of Service (DDoS) Reflection/Amplification attack against a third party.

The Bandwidth Amplification Factor (BAF) of the QOTD service is determined by the content and syntax used in the message or qoute of the day. RFC 865 state that the quote syntax should be less than 512 characters. The QOTD service has a maximum BAF of 140.3:1.

The Quote of the Day (QOTD) Service

The Quote of the Day (QOTD) service is one of six (6) simple services, that are internet protocols intended for testing and measurement purposes. These services can be used with both TCP and UDP, enabling each transport protocol to be tested. Each of these services are intended as "a useful debugging and measurement tool”. Tools that network operators can use to test the reachability of other hosts and to trouble shoot connectivity issues. Network operators can connect to another host and to receive data to verify end-to-end connectivity. The protocols are describe in their respective Request for Comments (RFC) dated May 1983 by the then RFC Editor Jonathan Postel, who made many significant contributions to the creation of the internet, particularly in the area of standards. Today, all six (6) protocols are regarded as obsolete.

Internet Protocols - Useful debugging and measurement tools

No. Protocol TCP/UDP Action
1. Echo Protocol Port 7 Returns identical copy of data received
2. Discard Protocol Port 9 No response - Discard data received
3. Active Users Protocol (systat service) Port 11 Return list of users currently login
4. Daytime Protocol Port 13 Returns current date and time
5. Quote of the Day (QOTD) Protocol Port 17 Broadcast a daily quote on request
6. Character Generator (CHARGEN) Protocol Port 19 Returns random generator character set

The QOTD service response to a TCP connection

An internet accessible QOTD service will, without regard to the input to port 17/TCP during the connection process, respond with a short message or quote. The QOTD service closes the connection after sending the quote. The data flow over the connection is limited by the normal TCP flow control mechanisms. The data received during the TCP connection process is discarded.

The QOTD service response to a UDP connection

An internet accessible QOTD service will, without regard to the input to port 17/UDP during the connection process, respond with a datagram that contains the message or quote of the day. The QOTD service will send one datagram in response of each datagram it receives. The data received during the UDP connection process is discarded.

Port Numbers and Ranges

In TCP/IP and UDP networks, a port is an endpoint to a logical connection and the way a client program specifies a specific server program on a computer in a network. The port number identifies what type of port it is. There are a total of 65,536 (0-65535) possible port numbers. The port numbers are divided into ranges:-

Well-Known Ports (0-1023)

These ports, also called low-numbered ports, are assigned by the Internet Assigned Numbers Authority (IANA). Port numbers within this range are associated with well-known services. These services include the Echo Protocol, the Discard Protocol, the Active Users Protocol, the Daytime Protocol, the Character Generator (CHARGEN) Protocol and the Quote of the Day (QOTD) Protocol. Most operating systems restrict the association (called binding) of any service with these ports to trusted processes, such as root.

Registered ports (1024-49151)

These ports are not assigned by the IANA, but for convenience to the community, the IANA lists the registered uses to these ports. These ports are not considered "trusted" because, in most operating systems, ordinary users may establish an association with any of these port numbers.

Dynamic and Private Ports (49152-65535)

These ports are not assigned or registered. There are no commonly known ports in this space.

Verification

To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

Nmap - (Network Mapper) - (https://nmap.org)

To confirm an Internet accessible QOTD service, the 'Nmap' open source network scanner utility program can be utilised.

Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.

Insert the IP address of the host you wish to check for an Internet accessible QOTD service when invoking the 'Nmap' open source network scanner utility program together with the options included in the following example.

$ sudo nmap -sU -PN -p17-oG - xxx.xxx.xxx.xxx

An Internet accessible QOTD service listening on port 17/UDP will return information similar to that shown below:

$ sudo nmap -sU -p17 -oG - xxx.xxx.xxx.xxx
# Nmap 7.80 scan initiated Wed Aug 4 15:38:21 2021 as: nmap -sU -p17 -oG - xxx.xxx.xxx.xxx
Host: xxx.xxx.xxx.xxx ()	Status: Up
Host: xxx.xxx.xxx.xxx ()	Ports: 17/open/udp//qotd///

# Nmap done at Wed Aug 4 15:38:21 2021 -- 1 IP address (1 host up) scanned in 0.54 seconds

Options
sudo	:Elevated privileges are required to access raw sockets.
-sU 	:UDP Scan.
-p	:Only scan specified port.
-oG -	:Grepable Output.

Telnet - (https://datatracker.ietf.org/doc/html/rfc854)

To establish a connection to an internet accessible QOTD service, and elicit a response, the 'telenet' internet protocol can be used.

The 'telnet' (Teletype Network) internet protocol first developed in 1969 and defined in RFC 855 in May 1983, is a protocol that provides a command line interface for communication with a remote device or server using the TCP protocol. UDP connectivity can not be tested using Telnet.

Note: Telnet is not a secure protocol and is unencrypted. In a Telnet session, data is conveyed in plain text.

Insert the IP address of the host that has an Internet accessible QOTD service, together with the port number 17.

$ telnet [Host] [Port]

An Internet accessible QOTD service listening on port 17/TCP will return information similar to that shown below:

$ telnet xxx.xxx.xxx.xxx 17
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
"We have no more right to consume happiness without producing it than to
Connection closed by foreign host.it." George Bernard Shaw (1856-1950)

If telnet is invoked with a host argument, it performs an open command implicity.
Options
Host	:IP Address of host.
Port  	:Port Number (17).

Solution

If the QOTD Service is not required, disable it.

If the QOTD Service is required, restrict access to trusted clients or specific IP addresses by blocking incoming connections to port 17/TCP and 17/UDP on the firewall.

To disable the QOTD service on:-

Unix/Linux Systems.

1.	Navigate to the file /etc/inetd.conf (or equivalent - /etc/xinetd.d) file.
2.	Stop the inetd service - /etc/init.d/inetd stop
3.	With an editor, open the inetd file and locate the line that controls the Q0TD daemon.
4.	Insert a hash symbol (#) at the beginging of the line, to comment out the QOTD daemon.
5.	Save and exit from the file.
4.	Restart /etc/inetd/ (or equivalent - /etc/xinetd.d) service - /etc/init.d/inetd restart.

Microsoft Windows Systems.

The QOTD service is not inherent to Microsoft Windows, however in the event that the service has been installed, the following steps will render it inoperative.

Set the following registry keys to 0:

HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd

1.	In Microsoft Windows, open the registry editor.
2.	Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTcp\Parameters.
3.	Double-click the EnableTcpQotd key to display the DWORD Editor.
4.	Replace the value in the data field with 0.
5.	Click OK.
	Repeat these steps for:-
	HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd

For the changes made to the registry to take effect, the Simple TCP/IP Service has to be stopped and restarted.

1.	Launch cmd.exe and execute the following commands.
2.	net stop simptcp.
3.	net start simptcp.

Supplementary Information

Ingress & Egress Filtering

Ingress filtering - is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network.
Egress filtering - limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network.

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link - Ingress & Engress Filtering

UDP Based Denial-of-Service (DoS) Attack

The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a number of properties that makes it susceptible to exploitation for DoS attacks against third parties. Additional information on the components and techniques deployed in an UDP based DoS attack can be found at the following link - UDP Based Denial-of-Service (DoS) Attack

Additional Information

IETF RFC 865- Quote of the Day Protocol
IETF RFC 862- Echo Protocol
IETF RFC 863- Discard Protocol
IETF RFC 864- Character Generator Protocol
IETF RFC 866- Active Users
IETF RFC 867- Daytime Protocol
Shadowserver - Open Quote of the Day Service Scanning Project
IETF RFC 1340 - Assigned Numbers
Good Intentions on the Old-Timey Internet