 |  |
22.7. Mostly Harmless Protocols
A handful of protocols are widely implemented for no apparent reason except that:
- They're easy to implement.
- They're standards.
They might come in handy every so often for testing something.
Interestingly, not long after echo became dangerous, it started to be used for relatively benign purposes as well. Web sites (most notably, the advertisement servers at doubleclick.net) periodically attempt to use echo to determine round-trip times and choose the closest server to a given client. TCP-based echo is used instead of the ICMP echo used by ping in order to get responses more like those that TCP-based HTTP will get. Although these attempts are benign, there is no reason to allow them; they are not required in order for services to work. You do need to be aware that you will probably see logs of discarded echo traffic, which do not indicate hostile acts.
Given that chargen, echo, and discard are ancient and rarely used, you might expect that Microsoft's relatively modern implementation of TCP/IP services would omit them, but in fact these services are all bundled as part of the "Simple TCP/IP Services" service on Windows NT. This also includes the equally unused daytime and quotd services. daytime produces a human-readable date and timestamp; quotd (quote of the day) produces a quote (in Windows NT's case, from an extremely small quotes file). They are both genuine and widely implemented services but are even less used than the others.
22.7.1. Packet Filtering Characteristics of Mostly Harmless Protocols
All of these services work on both TCP and UDP. chargen is at port 19, echo is at port 7, discard is at port 9, daytime is at port 13, and quotd is at port 17.| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
| In | Ext | Int | UDP | >1023 | 19, 7, 9, 13 or 17 |
[163]
|
Request, external client to internal server |
| Out | Int | Ext | UDP | 19, 7, 9, 13, or 17 | >1023 | [163] | Response, internal server to external client |
| Out | Int | Ext | UDP | >1023 | 19, 7, 9, 13 or 17 | [163] | Request, internal client to external server |
| In | Int | Ext | UDP | 19, 7, 9, 13, or 17 | >1023 | [163] | Response, external server to internal client |
| In | Ext | Int | TCP | >1023 | 19, 7, 9, 13, or 17 |
[164]
|
Request, external client to internal server |
| Out | Int | Ext | TCP | 19, 7, 9, 13, or 17 | >1023 | Yes | Response, internal server to external client |
| Out | Int | Ext | TCP | >1023 | 19, 7, 9, 13, or 17 | [164] | Request, internal client to external server |
| In | Int | Ext | TCP | 19, 7, 9, 13, or 17 | >1023 | Yes | Response, external server to internal client |
[163]UDP has no ACK equivalent.
[164]ACK will not be set on the first packet (establishing connection) but will be set on the rest.
22.7.2. Proxying Characteristics of Mostly Harmless Protocols
While it would be theoretically quite easy to proxy most of these protocols (the proxy for discard is particularly simple to write), the sheer pointlessness of doing so means that proxies for them are not widely available. In particular, on the rare occasions when chargen, echo, and discard are used, they're used to gather data about network performance, which will be obscured if a proxy is in the transaction.
22.7.3. Network Address Translation Characteristics of Mostly Harmless Protocols
None of these protocols include embedded IP addresses; they will all work with straightforward network address translation.
