Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Cyber Security Awareness Month - Day 24 - The Small Services SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 24 - The Small Services

The ports below 20 and also 37 are frequently called the "small services" and can be safely blocked.  For a quick review, here is what is going on down at the bottom of the port list:

tcpmux         1/tcp    #TCP Port Service Multiplexer [rfc-1078]
tcpmux         1/udp    #TCP Port Service Multiplexer
compressnet    2/tcp    #Management Utility
compressnet    2/udp    #Management Utility
compressnet    3/tcp    #Compression Process
compressnet    3/udp    #Compression Process
rje            5/tcp    #Remote Job Entry
rje            5/udp    #Remote Job Entry
echo           7/tcp    #
echo           7/udp    #
discard        9/tcp    #Discard
discard        9/udp    #Discard
systat        11/tcp    #Active Users
systat        11/udp    #Active Users
daytime       13/tcp    #
daytime       13/udp    #
netstat       15/tcp    #
qotd          17/tcp    #Quote of the Day
qotd          17/udp    #Quote of the Day
msp           18/tcp    #Message Send Protocol
msp           18/udp    #Message Send Protocol
chargen       19/tcp    #Character Generator
chargen       19/udp    #Character Generator

ftp-data      20/tcp    #File Transfer [Default Data]
ftp-data      20/udp    #File Transfer [Default Data]
time          37/tcp    #Time
time          37/udp    #Time

An interesting attack was developed many years ago using the echo and chargen ports.  echo will send back whatever characters are sent to it, while chargen will generate random characters.  By spoofing source and destination addresses/ports, it was easy to inject fake packets into a network that would generate characters from Alice's chargen port and send them to Bob's echo port, which would then echo them back to Alice's chargen which would generate more characters to send to Bob, and....I think you get the picture.  Instant denial of service attack.

Cisco's routers can enable/disable the "small servers" on those devices (echo, discard, and chargen) by using these commands:

Router(config)# service udp-small-servers
Router(config)# no service udp-small-servers

Router(config)# service tcp-small-servers
Router(config)# no service tcp-small-servers 

In Unix systems, edit the inetd.conf (or equivalent) file to comment out these services if you don't use them.  Odds are pretty good that you don't. 

If you have any additional thoughts or comments on the Small Services please let us know via our contact form, or simply add your public comments via the comment link below.

Marcus H. Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler
I think it is important to mention that most Cisco devices have these services off by default. The newer Cisco devices also have an AutoSecure script that will automatically let you know what services that are known to be insecure are enabled and help the end users disable them.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!