Mostly Harmless Protocols

A handful of protocols are widely implemented for no apparent reason except that: These include chargen, echo, and discard. chargen (character generator) is a server that babbles. When you connect to it, it produces characters in an endless stream until you go away again (if you send it UDP, it sends you back a single UDP packet with random characters in it). echo simply echoes back any data you send it; discard even more simply discards all data you send it. It's easy to see that these might in fact be useful for administrative and testing purposes, but in practice they don't come up much. They sat around for years being apparently harmless if pointless curiosities, enabled by default on almost all Unix machines and used on rare occasions for network testing. Then various people found interesting ways to pervert them (forge a packet from one machine's echo server to another, creating a vicious circle, for instance), and they became noteworthy. It has never been advisable to allow them (if you don't need services, don't turn them on -- and you don't need any of these), but now it's actually important to turn them off.

Interestingly, not long after echo became dangerous, it started to be used for relatively benign purposes as well. Web sites (most notably, the advertisement servers at doubleclick.net) periodically attempt to use echo to determine round-trip times and choose the closest server to a given client. TCP-based echo is used instead of the ICMP echo used by ping in order to get responses more like those that TCP-based HTTP will get. Although these attempts are benign, there is no reason to allow them; they are not required in order for services to work. You do need to be aware that you will probably see logs of discarded echo traffic, which do not indicate hostile acts.

Given that chargen, echo, and discard are ancient and rarely used, you might expect that Microsoft's relatively modern implementation of TCP/IP services would omit them, but in fact these services are all bundled as part of the "Simple TCP/IP Services" service on Windows. This also includes the equally unused daytime and quotd services. daytime produces a human-readable date and timestamp; quotd (quote of the day) produces a quote (in Windows's case, from an extremely small quotes file). They are both genuine and widely implemented services but are even less used than the others.

any of these services are provided by the operating system on Cisco routers as well and should be disabled as part of router configuration.

Packet Filtering Characteristics of Mostly Harmless Protocols

All of these services work on both TCP and UDP. chargen is at port 19, echo is at port 7, discard is at port 9, daytime is at port 13, and quotd is at port 17.

Direction SourceAddr. Dest.Addr. Protocol SourcePort Dest.Port ACKSet Notes
In Ext Int UDP >1023 19, 7, 9, 13 or 17 [163] Request, external client to internal server
Out Int Ext UDP 19, 7, 9, 13, or 17 >1023 [163] Response, internal server to external client
Out Int Ext UDP >1023 19, 7, 9, 13 or 17 [163] Request, internal client to external server
In Int Ext UDP 19, 7, 9, 13, or 17 >1023 [163] Response, external server to internal client
In Ext Int TCP >1023 19, 7, 9, 13, or 17 [164] Request, external client to internal server
Out Int Ext TCP 19, 7, 9, 13, or 17 >1023 Yes Response, internal server to external client
Out Int Ext TCP >1023 19, 7, 9, 13, or 17 [164] Request, internal client to external server
In Int Ext TCP 19, 7, 9, 13, or 17 >1023 Yes Response, external server to internal client
[163]UDP has no ACK equivalent.
[164]ACK will not be set on the first packet (establishing connection) but will be set on the rest.

Proxying Characteristics of Mostly Harmless Protocols

While it would be theoretically quite easy to proxy most of these protocols (the proxy for discard is particularly simple to write), the sheer pointlessness of doing so means that proxies for them are not widely available. In particular, on the rare occasions when chargen, echo, and discard are used, they're used to gather data about network performance, which will be obscured if a proxy is in the transaction.

Network Address Translation Characteristics of Mostly Harmless Protocols

None of these protocols include embedded IP addresses; they will all work with straightforward network address translation.

Summary Recommendations for Mostly Harmless Protocols