COMMAND

    chargen port

SYSTEMS AFFECTED

    Win '95, NT

PROBLEM

    Carolyn P. Meinel posted following.  One of the oldest and  lamest
    of denial of service attacks  to make several connections to  port
    19,  chargen.  According  to  some  sources,  when Up Yours 4.0 is
    released  this  Easter  (1997),  it  will incorporate an automated
    attack that  exploits chargen.  Since this  software is supposedly
    to be a user-friendly  Windows 95 program that  automatically will
    load the  necessary drivers,  we could  be seeing  little children
    launching these attacks.

    There appears to be no good reason to leave this port open  unless
    you are actively  looking for the  cause of dropped  packets. So a
    good  security  practice  would  be  to  disable it, regardless of
    whether Up Yours 4.0 ends up sporting this feature.

SOLUTION

    Russ.Cooper gave few solutions:

        1. The most obvious answer  to the question of how  to prevent
           Chargen attacks is not to permit it through your router.
        2.  By  not  installing  the  Simple  TCP  Services you do not
           install a Chargen, Echo, Quote of the Day, etc... servers.
        3. You can also  disable it in NT  4.0 through the use  of the
           Advanced port filtering.
        4. Finally, you can disable  any of the individual Simple  TCP
           Servers by changing a value in;

        HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SimpTCP/Parameters

        EnableTCPChargen = 0 (defaults to 0x01 = enabled)
        EnableUDPChargen = 0 (defaults to 0x01 = enabled)

    You will see a list of all  the servers in this key and can  alter
    their listening states accordingly.

    Derek Simmel added  to use the  TCPIP Security facility  buried in
    the Network  control panel  under Protocols->TCPIP->Properties->IP
    Address->Advanced->Enable  Security->Configure  to  specifiy  only
    those UDP/TCP ports that  you will accept connection  attempts to.
    Outgoing  connections  are  apparently   not  affected  by   these
    settings.

    You may retreive following fix from:

        ftp://ftp.microsoft.com

    following path

        /bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/simptcp-fix

    FYI, the  simptcp-fix hot  fix, originally  designed to  handle an
    issue  with  chargen,  has   been  updated  recently   (11/01/97).
    The  Q  article  for  the  hot  fix  has not been updated, and the
    updated README gives  no indications at  to why it  was updated. A
    source  at  Microsoft  suggests  there  were some conditions under
    which the original  problem could still  occur after the  original
    hot fix, these have now been fixed. simptcp-fix includes the fixes
    supplied by icmp-fix.

    Additionally, the chargen service and other Simple TCP/IP services
    have been modified to drop any datagrams that have the source port
    equal to the destination port to prevent "looping" attacks.  Don't
    forget  where  the  source  port  is  the  'echo'  port  and   the
    destination  port  is  the   'chargen'  port,  and  the   multiple
    combinations possible with the  UDP ports (time, chargen,  or echo
    to any other).