Guide to Chargen Amplification Issues

What is Character Generator Protocol?

The Character Generator Protocol (CHARGEN) is a service of the Internet Protocol Suite defined in RFC 864. It is intended for testing, debugging, and measurement purposes.

A host may connect to a server that supports the Character Generator Protocol on either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number 19. Upon opening a TCP connection, the server starts sending arbitrary characters to the connecting host and continues until the host closes the connection. In the UDP implementation of the protocol, the server sends a UDP datagram containing a random number (between 0 and 512) of characters every time it receives a datagram from the connecting host. Any data received by the server is discarded.

You can read more details about this protocol: http://en.wikipedia.org/wiki/Character_Generator_Protocol

Amplification Attack Description:

The UDP-based CHARGEN protocol can be abused to amplify denial-of-service attack traffic. Servers running the Chargen are susceptible to a distributed reflected denial-of-service (DRDoS) attack.

The attacker generates a large number of UDP packets with spoofed source IP address to make it appear the packets are coming from the intended target. These UDP packets are sent to Chargen servers (port 19).

How to verify if your server/device is vulnerable:

These are some output examples (Scan Port 19 UDP):

1) The Chargen UDP port is open

$ sudo nmap -sU -p19 xx.xx.37.38 -oG -
# Nmap 6.40 scan initiated Wed Apr 2 18:24:52 2014 as: nmap -sU -p19 -oG - xx.xx.37.38
Host: xx.xx.37.38 () Status: Up
Host: xx.xx.37.38 () Ports: 19/open/udp//chargen///
# Nmap done at Wed Apr 2 18:24:52 2014 -- 1 IP address (1 host up) scanned in 0.18 seconds

2) The Chargen UDP port is NOT open

$ sudo nmap -sU -p19 xx.xx.37.35 -oG -
# Nmap 6.40 scan initiated Wed Apr 2 18:25:30 2014 as: nmap -sU -p19 -oG - xx.xx.37.35
# Nmap done at Wed Apr 2 18:25:33 2014 -- 1 IP address (0 hosts up) scanned in 3.11 seconds

Resolution:

This service should be disabled entirely or at least blocked using packet filter/firewall. This service has no valid use on a modern server and should not be used.

Linux/Unix server:

Under Linux/Unix systems comment out the ‘chargen’ line in /etc/inetd.conf file or changing “disable” to equal “yes” in the applicable file within /etc/xinetd.d/ and then restart the inetd or xinetd process.

Windows:

Under Windows systems, set the following registry keys to 0 :

HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

References: