Internet Accessible CHARGEN Service
Description
The Character Generator (CHARGEN) service is an internet protocol defined in RFC 864. It is intended for testing and measurement purposes. Primarily used for testing or troubleshooting line printers. The CHARGEN service, which can be accessed by both the Transport Transmission Protocol (TCP) and the User Datagram Protocol (UDP), will, without regard to the input received during the connection process, respond, with either a repetitive stream or a datagram, of random generated characters from the ninety five (95) printing characters in the American Standard Code for Information Interchange (ASCII) character set, in shifted lines of seventy two (72) ASCII characters repeating.
The CHARGEN service listens on port 19/TCP and port 19/UDP.
Problem
An Internet Accessible CHARGEN Service can be abused for a Distributed Denial of Service (DDoS) Reflection/Amplification attack against a third party.
The CHARGEN service has a Bandwidth Amplification Factor (BAF) of 358.8:1.
The Character Generator (CHARGEN) Service
The Character Generator (CHARGEN) service is one of six (6) simple services, that are internet protocols intended for testing and measurement purposes. These services can be used with both TCP and UDP, enabling each transport protocol to be tested. Each of these services are intended as "a useful debugging and measurement tool”. Tools that network operators can use to test the reachability of other hosts and to trouble shoot connectivity issues. Network operators can connect to another host and to receive data to verify end-to-end connectivity. These protocols are describe in their respective Request for Comments (RFC) dated May 1983 by the then RFC Editor Jonathan Postel, who made many significant contributions to the creation of the internet, particularly in the area of standards. Today, all six (6) protocols are regarded as obsolete.
Internet Protocols - Useful debugging and measurement tools
| No. | Protocol | TCP/UDP | Action |
|---|---|---|---|
| 1. | Echo Protocol | Port 7 | Returns identical copy of data received |
| 2. | Discard Protocol | Port 9 | No response - Discard data received |
| 3. | Active Users Protocol (systat service) | Port 11 | Return list of users currently login |
| 4. | Daytime Protocol | Port 13 | Returns current date and time |
| 5. | Quote of the Day (QOTD) Protocol | Port 17 | Broadcast a daily quote on request |
| 6. | Character Generator (CHARGEN) Protocol | Port 19 | Returns random generator character set |
The CHARGEN service response to a TCP connection
An internet accessible CHARGEN service will, without regard to the input to port 19/TCP during the connection process, respond with a repetitive stream of random generated characters from the ninety five (95) printing characters in the ASCII character set, in shifted lines of seventy two (72) ASCII characters repeating, until the connection is terminated by the connecting host. The data flow over the connection is limited by the normal TCP flow control mechanisms. The data received during the initial TCP connection process is discarded.
The CHARGEN service response to a UDP connection
An internet accessible CHARGEN service will, without regard to the input to port 19/UDP during the connection process, respond with a datagram of between 0 and 512 random generated characters, from the ninety five (95) printing characters in the ASCII character set, in shifted lines of seventy two (72) ASCII characters repeating. The CHARGEN service will send one datagram in response of each datagram it receives. The data received during the UDP connection process is discarded.
Port Numbers and Ranges
In TCP/IP and UDP networks, a port is an endpoint to a logical connection and the way a client program specifies a specific server program on a computer in a network. The port number identifies what type of port it is. There are a total of 65,536 (0-65535) possible port numbers. The port numbers are divided into ranges:-
Well-Known Ports (0-1023)
These ports, also called low-numbered ports, are assigned by the Internet Assigned Numbers Authority (IANA). Port numbers within this range are associated with well-known services. These services include the Echo Protocol, the Discard Protocol, the Active Users Protocol, the Daytime Protocol, the Quote of the Day (QOTD) Protocol and the Character Generator (CHARGEN) Protocol. Most operating systems restrict the association (called binding) of any service with these ports to trusted processes, such as root.
Registered ports (1024-49151)
These ports are not assigned by the IANA, but for convenience to the community, the IANA lists the registered uses to these ports. These ports are not considered "trusted" because, in most operating systems, ordinary users may establish an association with any of these port numbers.
Dynamic and Private Ports (49152-65535)
These ports are not assigned or registered. There are no commonly known ports in this space.
Verification
To establish if a host has an internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.
Nmap - (Network Mapper) - (https://nmap.org)
To confirm an Internet accessible CHARGEN service, the 'Nmap' open source network scanner utility program can be utilised.
Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.
Insert the IP address of the host you wish to check for an internet accessible CHARGEN service when invoking the 'Nmap' open source network scanner utility program together with the options included in the following example.
$ sudo nmap -sU -p19 -oG - xxx.xxx.xxx.xxx
An internet accessible CHARGEN service listening on port 19/UDP will return information similar to that shown below:
$ sudo nmap -sU -p19 -oG - xxx.xxx.xxx.xxx
# Nmap 7.80 scan initiated Wed Jul 21 15:34:13 2021 as: nmap -sU -p19 -oG - xxx.xxx.xxx.xxx
Host: xxx.xxx.xxx.xxx () Status: Up
Host: xxx.xxx.xxx.xxx () Ports: 19/open/udp//chargen///
# Nmap done at Wed Jul 21 15:34:13 2021 -- 1 IP address (1 host up) scanned in 0.37 seconds
Options
sudo :Elevated privileges are required to access raw sockets.
-sU :UDP Scan.
-p :Only scan specified port.
-oG - :Grepable Output.
netcat
To establish a connection to an internet accessible CHARGEN service, and elicit a response, the 'netcat' command line network utility can be used. The netcat binary has an alias named nc. Both commands point to the same binary file.
Insert the IP address of the host that has an internet accessible CHARGEN service, together with the port number 19.
$ netcat [Host] [Port]
An Internet accessible CHARGEN service listening on port 19/TCP will return information similar to that shown below:
$ netcat xxx.xxx.xxx.xxx 19
0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvw
123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwx
23456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxy
3456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{
56789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|
6789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}
789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}
89:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !
9:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"
:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#
;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$
<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%
=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'
>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'
?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'(
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()
ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*
BCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+
CDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,
DEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-
EFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-.
FGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./
GHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0
HIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./01
IJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./012
JKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123
KLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./01234
LMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./012345
MNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456
NOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./01234567
OPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./012345678
PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789
QRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:
RSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;
STUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<
TUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=
UVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>
VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?
WXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@
XYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@A
YZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@AB
Z[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABC
[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCD
netcat commands have the netcat [options] host port generic form.
Options
Host :IP Address of host.
Port :Port Number (19).
Solution
If the CHARGEN Service is not required, disable it.
If the CHARGEN Service is required, restrict access to trusted clients or specific IP addresses by blocking incoming connections to port 19/TCP and 19/UDP on the firewall.
To disable the CHARGEN service on:-
Unix/Linux Systems.
1. Navigate to the file /etc/inetd.conf (or equivalent - /etc/xinetd.d) file.
2. Stop the inetd service - /etc/init.d/inetd stop
3. With an editor, open the inetd file and locate the line that controls the CHARGEN daemon.
4. Insert a hash symbol (#) at the beginging of the line, to comment out the CHARGEN daemon.
5. Save and exit from the file.
4. Restart /etc/inetd/ (or equivalent - /etc/xinetd.d) service - /etc/init.d/inetd restart.
Microsoft Windows Systems.
The CHARGEN service is not inherent to Microsoft Windows, however in the event that the service has been installed, the following steps will render it inoperative.
Set the following registry keys to 0:
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen
1. In Microsoft Windows, open the registry editor.
2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTcp\Parameters.
3. Double-click the EnableTcpChargen key to display the DWORD Editor.
4. Replace the value in the data field with 0.
5. Click OK.
Repeat these steps for:-
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen
For the changes made to the registry to take effect, the Simple TCP/IP Service has to be stopped and restarted.
1. Launch cmd.exe and execute the following commands.
2. net stop simptcp.
3. net start simptcp.
Supplementary Information
Ingress & Egress Filtering
| Filter | Description |
|---|---|
| Ingress Filtering | Ingress filtering is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network. |
| Egress Filtering | Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network. Port used for remote syslog capture |
The implementation of best practice in relation to Ingress filtering limits the impact of a Denial
of Service (DoS) attack on one's own network while the implementation of best practice in relation to
Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on
networks of other organisations. Additional information on Ingress & Egress Filtering can
be found at the following link -
Ingress & Engress Filtering
UDP Based Denial-of-Service (DoS) Attack
The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a
number of properties that makes it susceptible to exploitation for DoS attacks against third parties.
Additional information on the components and techniques deployed in an UDP based DoS attack can be found
at the following link -
UDP Based Denial-of-Service (DoS) Attack
Additional Information
IETF RFC 864- Character Generator ProtocolIETF RFC 862- Echo Protocol
IETF RFC 863- Discard Protocol
IETF RFC 866- Active Users
IETF RFC 867- Daytime Protocol
IETF RFC 865- Quote of the Day Protocol
IETF RFC 1340 - Assigned Numbers
Good Intentions on the Old-Timey Internet
Deep inside CHARGEN flood attacks
Open Chargen Service Scanning Project.
SANS ISC InfoSec Forums - A Chargen-based DDoS? Chargen is still a thing?
Wikipedia - Character Generator Protocol
SANS ISC InfoSec Forums - Cyber Security Awareness Month - Day 24 - The small Services
Chargen denial of service (Chargen Denial of Service)
Learning to Use netcat to its full Potential