Internet Accessible QOTD Service
Description
The Quote of the Day (QOTD) service is an internet protocol defined in RFC 865, used to provide a message or quote to the connecting client, that is intended for testing and measurement purposes. The syntax for the message or quote is recommended to be limited to the American Standard Code for Information Interchange (ASCII) printing characters, space, carriage return, and line feed. The QOTD service, which can be accessed by both the Transport Transmission Protocol (TCP) and the User Datagram Protocol (UDP), will, without regard to the input received during the connection process, respond, with a short message, or a quote that has been determined by the server's administrator.
The QOTD service listens on port 17/TCP and port 17/UDP.
Problem
An Internet Accessible QOTD Service can be abused for a Distributed Denial of Service (DDoS) Reflection/Amplification attack against a third party.
The Bandwidth Amplification Factor (BAF) of the QOTD service is determined by the content and syntax used in the message or qoute of the day. RFC 865 state that the quote syntax should be less than 512 characters. The QOTD service has a maximum BAF of 140.3:1.
The Quote of the Day (QOTD) Service
The Quote of the Day (QOTD) service is one of six (6) simple services, that are internet protocols intended for testing and measurement purposes. These services can be used with both TCP and UDP, enabling each transport protocol to be tested. Each of these services are intended as "a useful debugging and measurement tool”. Tools that network operators can use to test the reachability of other hosts and to trouble shoot connectivity issues. Network operators can connect to another host and to receive data to verify end-to-end connectivity. The protocols are describe in their respective Request for Comments (RFC) dated May 1983 by the then RFC Editor Jonathan Postel, who made many significant contributions to the creation of the internet, particularly in the area of standards. Today, all six (6) protocols are regarded as obsolete.
Internet Protocols - Useful debugging and measurement tools
| No. | Protocol | TCP/UDP | Action |
|---|---|---|---|
| 1. | Echo Protocol | Port 7 | Returns identical copy of data received |
| 2. | Discard Protocol | Port 9 | No response - Discard data received |
| 3. | Active Users Protocol (systat service) | Port 11 | Return list of users currently login |
| 4. | Daytime Protocol | Port 13 | Returns current date and time |
| 5. | Quote of the Day (QOTD) Protocol | Port 17 | Broadcast a daily quote on request |
| 6. | Character Generator (CHARGEN) Protocol | Port 19 | Returns random generator character set |
The QOTD service response to a TCP connection
An internet accessible QOTD service will, without regard to the input to port 17/TCP during the connection process, respond with a short message or quote. The QOTD service closes the connection after sending the quote. The data flow over the connection is limited by the normal TCP flow control mechanisms. The data received during the TCP connection process is discarded.
The QOTD service response to a UDP connection
An internet accessible QOTD service will, without regard to the input to port 17/UDP during the connection process, respond with a datagram that contains the message or quote of the day. The QOTD service will send one datagram in response of each datagram it receives. The data received during the UDP connection process is discarded.
Port Numbers and Ranges
In TCP/IP and UDP networks, a port is an endpoint to a logical connection and the way a client program specifies a specific server program on a computer in a network. The port number identifies what type of port it is. There are a total of 65,536 (0-65535) possible port numbers. The port numbers are divided into ranges:-
Well-Known Ports (0-1023)
These ports, also called low-numbered ports, are assigned by the Internet Assigned Numbers Authority (IANA). Port numbers within this range are associated with well-known services. These services include the Echo Protocol, the Discard Protocol, the Active Users Protocol, the Daytime Protocol, the Character Generator (CHARGEN) Protocol and the Quote of the Day (QOTD) Protocol. Most operating systems restrict the association (called binding) of any service with these ports to trusted processes, such as root.
Registered ports (1024-49151)
These ports are not assigned by the IANA, but for convenience to the community, the IANA lists the registered uses to these ports. These ports are not considered "trusted" because, in most operating systems, ordinary users may establish an association with any of these port numbers.
Dynamic and Private Ports (49152-65535)
These ports are not assigned or registered. There are no commonly known ports in this space.
Verification
To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.
Nmap - (Network Mapper) - (https://nmap.org)
To confirm an Internet accessible QOTD service, the 'Nmap' open source network scanner utility program can be utilised.
Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.
Insert the IP address of the host you wish to check for an Internet accessible QOTD service when invoking the 'Nmap' open source network scanner utility program together with the options included in the following example.
$ sudo nmap -sU -PN -p17-oG - xxx.xxx.xxx.xxx
An Internet accessible QOTD service listening on port 17/UDP will return information similar to that shown below:
$ sudo nmap -sU -p17 -oG - xxx.xxx.xxx.xxx
# Nmap 7.80 scan initiated Wed Aug 4 15:38:21 2021 as: nmap -sU -p17 -oG - xxx.xxx.xxx.xxx
Host: xxx.xxx.xxx.xxx () Status: Up
Host: xxx.xxx.xxx.xxx () Ports: 17/open/udp//qotd///
# Nmap done at Wed Aug 4 15:38:21 2021 -- 1 IP address (1 host up) scanned in 0.54 seconds
Options
sudo :Elevated privileges are required to access raw sockets.
-sU :UDP Scan.
-p :Only scan specified port.
-oG - :Grepable Output.
Telnet - (https://datatracker.ietf.org/doc/html/rfc854)
To establish a connection to an internet accessible QOTD service, and elicit a response, the 'telenet' internet protocol can be used.
The 'telnet' (Teletype Network) internet protocol first developed in 1969 and defined in RFC 855 in May 1983, is a protocol that provides a command line interface for communication with a remote device or server using the TCP protocol. UDP connectivity can not be tested using Telnet.
Note: Telnet is not a secure protocol and is unencrypted. In a Telnet session, data is conveyed in plain text.
Insert the IP address of the host that has an Internet accessible QOTD service, together with the port number 17.
$ telnet [Host] [Port]
An Internet accessible QOTD service listening on port 17/TCP will return information similar to that shown below:
$ telnet xxx.xxx.xxx.xxx 17
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
"We have no more right to consume happiness without producing it than to
Connection closed by foreign host.it." George Bernard Shaw (1856-1950)
If telnet is invoked with a host argument, it performs an open command implicity.
Options
Host :IP Address of host.
Port :Port Number (17).
Solution
If the QOTD Service is not required, disable it.
If the QOTD Service is required, restrict access to trusted clients or specific IP addresses by blocking incoming connections to port 17/TCP and 17/UDP on the firewall.
To disable the QOTD service on:-
Unix/Linux Systems.
1. Navigate to the file /etc/inetd.conf (or equivalent - /etc/xinetd.d) file.
2. Stop the inetd service - /etc/init.d/inetd stop
3. With an editor, open the inetd file and locate the line that controls the Q0TD daemon.
4. Insert a hash symbol (#) at the beginging of the line, to comment out the QOTD daemon.
5. Save and exit from the file.
4. Restart /etc/inetd/ (or equivalent - /etc/xinetd.d) service - /etc/init.d/inetd restart.
Microsoft Windows Systems.
The QOTD service is not inherent to Microsoft Windows, however in the event that the service has been installed, the following steps will render it inoperative.
Set the following registry keys to 0:
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd
1. In Microsoft Windows, open the registry editor.
2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTcp\Parameters.
3. Double-click the EnableTcpQotd key to display the DWORD Editor.
4. Replace the value in the data field with 0.
5. Click OK.
Repeat these steps for:-
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd
For the changes made to the registry to take effect, the Simple TCP/IP Service has to be stopped and restarted.
1. Launch cmd.exe and execute the following commands.
2. net stop simptcp.
3. net start simptcp.
Supplementary Information
Ingress & Egress Filtering
| Filter | Description |
|---|---|
| Ingress Filtering | Ingress filtering is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network. |
| Egress Filtering | Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network. Port used for remote syslog capture |
The implementation of best practice in relation to Ingress filtering limits the impact of a Denial
of Service (DoS) attack on one's own network while the implementation of best practice in relation to
Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on
networks of other organisations. Additional information on Ingress & Egress Filtering can
be found at the following link -
Ingress & Engress Filtering
UDP Based Denial-of-Service (DoS) Attack
The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a
number of properties that makes it susceptible to exploitation for DoS attacks against third parties.
Additional information on the components and techniques deployed in an UDP based DoS attack can be found
at the following link -
UDP Based Denial-of-Service (DoS) Attack
Additional Information
IETF RFC 865- Quote of the Day ProtocolIETF RFC 862- Echo Protocol
IETF RFC 863- Discard Protocol
IETF RFC 864- Character Generator Protocol
IETF RFC 866- Active Users
IETF RFC 867- Daytime Protocol
Shadowserver - Open Quote of the Day Service Scanning Project
IETF RFC 1340 - Assigned Numbers
Good Intentions on the Old-Timey Internet