Wednesday, July 3, 2013

Source port: Chargen Destination port: Chargen

Recently I learned about the Character Generator Protocol (Chargen) (UDP :19) during my DNS Amplification quest.

Curious as I am I decided to set one up and see what it looked like. As I had no idea what client to use or if there was any available I decided to fire some DNS query at it as I read:

   "In the UDP implementation of the protocol, the server sends a UDP datagram containing a random number (between 0 and 512) of characters every time it receives a datagram from the connecting host." --Wikipedia / Character_Generator_Protocol 

As can be seen, Dig did not enjoy that:

dig any @ -p 19
;; Warning: ID mismatch: expected ID 50917, got 11309
;; Warning: query response not set
;; Warning: ID mismatch: expected ID 50917, got 14907
;; Warning: query response not set
;; Warning: ID mismatch: expected ID 50917, got 18505
;; Warning: query response not set

; <<>> DiG 9.9.2-P2 <<>> any @ -p 19
;; global options: +cmd
;; connection timed out; no servers could be reached

At least I had confirmation that the Chargen service was working.


"UDP CHARGEN is commonly used in denial of service attacks. By using a fake source address the attacker can send bounce traffic off a UDP CHARGEN application to the victim. UDP CHARGEN sends 200 to 1,000 times times more data than it receives, depending upon the implementation. This "traffic multiplication" is attractive to an attacker. Also attractive is the obscuring of the attacker's IP address from the victim." -- Wikipedia / Character_Generator_Protocol

So what is the Amplification we can get out of this?

Using some Tshark and Scapy I got the following result with "" as UDP Data.

ip.src ip.dst frame.len udp.lenght 60 8 1066 1032

The total amplification of this is 1066 / 60 = ~17.75x Amplification. 
The UDP amplification is a lot bigger at 1032 / 8 = 129x

Spoofing experiment

As Chargen uses UDP it can be spoofed. No I do not want to DOS some one out on the interwebs this theory will be tested safely inside my network. 

The theory to test:

Can I get a chargen service to respond to another chargen service and make them loop?

**I performed this test without searching online if it was done before as that takes the fun out of things ;)**

In order to make this work I setup a second Chargen service and used the following Scapy command:

send(IP(dst="", src="")/UDP(sport=19, dport=19)/"LOOOOOOOOOOOP")

The result? About 100 packets bounced between the two hosts:

frame.num eth.src eth.dst ip.src ip.dst frame.length
1 00:FF:FF:2a:5c:81 00:0c:29:8a:68:2d 60
2 00:0c:29:8a:68:2d 00:0c:29:7a:05:a1 1066
3 00:0c:29:7a:05:8d 00:0c:29:8a:68:2d 1066
4 00:0c:29:8a:68:2d 00:0c:29:7a:05:a1 1066
5 00:0c:29:7a:05:8d 00:0c:29:8a:68:2d 1066
6 00:0c:29:8a:68:2d 00:0c:29:7a:05:a1 1066
7 00:0c:29:7a:05:8d 00:0c:29:8a:68:2d 1066
8 00:0c:29:8a:68:2d 00:0c:29:7a:05:a1 1066

101 was the last frame number. 

What can be seen above is that all packets bounce between the two IP-addresses that end with .19 and .37. But the first packet has a different MAC-Address. 

The total size send and received by the host is about 106600 Byte or ~105 KiloByte.

When sending the Scappy command multiple times to the hosts it will eventually stop working for a short amount of time:

    xinetd[12415]: Deactivating service chargen due to excessive incoming connections.  Restarting in 10 seconds.

    xinetd[12415]: Activating service chargen

I am guessing that this will also work on Chargen services out on the internet. Not really a permanent DOS but a huge waste of Bandwidth. 

But that is sort of what the protocol is meant to be:

"The CHARGEN service may be used as a source of a byte-stream for debugging TCP network code for proper bounds checking and buffer management. It may also be a source of generic payload for bandwidth measurement and/or QoS fine-tuning. Although consideration must be given if hardware compression is active, as the output from the CHARGEN service is easily and efficiently compressed. This compression can cause bandwidth tests to report the size of the data after decompression, instead of the actual amount of data which passed the wire." --Wikipedia / Character_Generator_Protocol 


I am curious to learn how many CHARGEN services there are still out there on the Internet. I have seen some scanning on UDP 19 but not that much. From what I hear some Microsoft Windows Servers, when installing certain modules will enable the Chargen Service. Also some printers (used to?) run this service and are somehow accessible from the Internet. 

If anyone can point me at some stats gathered by some one on the amount of open UDP 19 ports that would be cool. If not I will just have to scan the IPv4 world myself and deliver those stats.

1 comment:

  1. Is it possible to steal packets when they are sent?

    Silvester Norman

    Change Mac Address