Character Generator Protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 08:01, 21 October 2013 edit 123.202.98.244 (talk) →Inetd implementation ← Previous edit		Latest revision as of 20:27, 13 August 2025 edit undo Kvng (talk \| contribs) Extended confirmed users, New page reviewers 116,060 edits m format RFCs
(39 intermediate revisions by 35 users not shown)
Line 1: {{Short description\|Internet Protocol Suite service}} {{distinguish\|character generator}} {{one source\|date=October 2015}} {{Infobox networking protocol \| title = Character Generator Protocol \| logo = \| logo alt = \| image = \| image alt = \| caption = \| is stack = No \| abbreviation = CHARGEN \| purpose = {{Unbulleted list\|Testing\|Debugging\|Measurement}} \| developer = [[Jon Postel]] \| date = {{Start date and age\|1983}} \| based on = \| influenced = \| osilayer = [[Application layer]] (7) \| ports = tcp/19, udp/19 \| rfcs = {{IETF RFC\|864\|plainlink=yes}} \| hardware = }} {{IPstack}} The '''Character Generator Protocol''' ('''CHARGEN''') is a service of the [[Internet Protocol Suite]] defined in ~~RFC~~{{IETF RFC\|864}} in 1983 by [[Jon Postel]]. It is intended for testing, debugging, and measurement purposes. The protocol is rarely used, as its design flaws allow for ready misuse.<ref>{{Cite web\|url=https://nvd.nist.gov/vuln/detail/CVE-1999-0103\|title=NVD - CVE-1999-0103\|website=nvd.nist.gov\|access-date=2018-02-05}}</ref> A host may connect to a server that supports the Character Generator Protocol on either [[Transmission Control Protocol]] (TCP) or [[User Datagram Protocol]] (UDP) [[port number]] 19. Upon opening a TCP connection, the server starts sending arbitrary characters to the connecting host and continues until the host closes the connection. In the UDP implementation of the protocol, the server sends a UDP datagram containing a random number (between 0 and 512) of characters every time it receives a datagram from the connecting host. Any data received by the server is discarded. ==Inetd implementation== On most [[~~UNIX~~Unix-like]] operating systems, a CHARGEN server is built into the [[inetd]] (or [[xinetd)]] [[daemon (computer software)\|daemon]]. The CHARGEN service is usually not enabled by default. It may be enabled by adding the following lines to the file ~~<tt>~~{{mono\|/etc/inetd.conf~~</tt>~~}} and telling inetd to reload its configuration: chargen stream tcp nowait root internal chargen dgram udp wait root internal ==Applications== The CHARGEN service may be used as a source of a byte-stream for debugging TCP network code for proper bounds checking and buffer management. It may also be a source of generic payload for bandwidth measurement and/or QoS fine-tuning.{{Citation needed\|date=August 2010}} ~~Although consideration~~Consideration must be given if hardware compression is active, as the output from the CHARGEN service is easily and efficiently compressed. This compression can cause bandwidth tests to report the size of the data ''after'' decompression, instead of the actual amount of data which passed the wire. ==Sample session== A typical CHARGEN service session looks like this: The user connects to the host using a [[telnet]] client. The user receives a stream of [[byte]]s. Although the specific format of the output is not prescribed by ~~RFC~~{{IETF RFC\|864}}, the recommended pattern (and a [[de facto standard]]) is shifted lines of 72 [[ASCII]] characters repeating. <pre><nowiki> $ telnet localhost chargen Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh "#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi Line 37 ⟶ 59: ./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstu /0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuv 0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvw 123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwx 23456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxy 3456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz 456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{ 56789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\| 6789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} 789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} 89:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} ! 9:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !" :;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"# ;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$ <=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$% =>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%& >?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&' ?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'( @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'() ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'() BCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+ CDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+, DEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,- EFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-. FGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./ GHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0 HIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./01 IJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./012 JKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123 KLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./01234 LMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./012345 MNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456 NOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./01234567 OPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./012345678 PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789 QRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789: RSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:; STUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;< TUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<= UVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=> VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>? WXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ XYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@A YZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@AB Z[\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABC [\]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCD \]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDE ]^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEF ^_`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFG _`abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGH `abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHI abcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJ bcdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJK cdefghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKL defghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLM efghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMN fghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO ghijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOP hijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQ ijklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQR jklmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRS klmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRST lmnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTU mnopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUV nopqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVW opqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWX pqrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXY qrstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ rstuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[ stuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ tuvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\] uvwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^ vwxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ wxyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_` xyz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a yz{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ab z{\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abc {\|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcd \|} !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcde } !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdef !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh "#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi ^] telnet> quit Connection closed.</nowiki> </pre> This continues until the TCP connection is closed as shown in the trace by ending the telnet session. == Visual output simulation == ~~==Abuse==~~ For security reasons, most modern machines should have CHARGEN services disabled. The following is a Linux bash script that will simulate the visual appearance of the CHARGEN service in the terminal window. The script can be stopped by pressing {{Keypress\|Ctrl\|C}}. The service was used maliciously to crash MS DNS servers running Microsoft Windows NT 4.0 by piping the arbitrary characters straight into the DNS server listening port (telnet ntbox 19 \| telnet ntbox 53).<ref>{{cite web\|url=http://support.microsoft.com/kb/169461 \|title=Access Violation in Dns.exe Caused by Malicious Telnet Attack \|publisher=Support.microsoft.com \|date=2006-11-01 \|accessdate=2009-05-31}}</ref> However, the attack was presumably a symptom of improper buffer management on the part of Microsoft's DNS service and not directly related to the CHARGEN service.{{Citation needed\|date=August 2010}} <syntaxhighlight lang="bash"> strg=""; for n in {32..126}; do c=`printf '%x' $n \| xxd -r -p`; strg=${strg}${c}; done; strg=${strg}${strg}; n=0; while :; do m=n%95; echo "${strg:m:72}"; n=$((n+1)); sleep .1; done; </syntaxhighlight> ==Abuse== UDP CHARGEN is commonly used in denial of service attacks. By using a fake source address the attacker can send bounce traffic off a UDP CHARGEN application to the victim. UDP CHARGEN sends 200 to 1,000 times times more data than it receives, depending upon the implementation. This "traffic multiplication" is attractive to an attacker. Also attractive is the obscuring of the attacker's IP address from the victim. The service was used maliciously to crash [[Microsoft]] [[Name server\|___domain name servers]] (DNS) running [[Windows NT 4.0]] by piping the arbitrary characters straight into the DNS server listening port (<code>telnet ntbox 19 \| telnet ntbox 53</code>).<ref>{{cite web\|url=http://support.microsoft.com/kb/169461\|title=Access Violation in Dns.exe Caused by Malicious Telnet Attack\|date=2006-11-01\|publisher=Support.microsoft.com\|archive-url=https://web.archive.org/web/20140819172557/http://support.microsoft.com/kb/169461\|url-status=live\|accessdate=2009-05-31\|archive-date=2014-08-19}}</ref><ref>{{Cite news\|url=https://www.itprotoday.com/security/ms-dns-server-subject-denial-service-attack\|title=MS DNS Server subject to Denial of Service Attack\|date=1997-05-27\|work=IT Pro\|access-date=2018-02-05}}</ref> However, the attack may have been a symptom of improper buffer management on the part of Microsoft's DNS service and not directly related to the CHARGEN service.{{Citation needed\|date=August 2010}} UDP CHARGEN is commonly used in denial-of-service attacks. By using a fake source address the attacker can send bounce traffic off a UDP CHARGEN application to the victim. UDP CHARGEN sends 200 to 1,000 times more data than it receives, depending upon the implementation. This "traffic multiplication" is also attractive to an attacker because it obscures the attacker's IP address from the victim.{{Citation needed\|date=April 2024}} CHARGEN was widely implemented on network-connected printers, and as printer firmware is rarely updated there are still many network-connected printers which implement the protocol. Where these are visible to the Internet they are invariably misused as denial of service vectors, as potential attackers often scan networks looking for UDP port 19 CHARGEN sources. CHARGEN was widely implemented on network-connected printers. As printer firmware was rarely updated on older models before CHARGEN and other security concerns were known, there may still be many network-connected printers which implement the protocol. Where these are visible to the Internet, they are invariably misused as denial of service vectors. Potential attackers often scan networks looking for UDP port 19 CHARGEN sources. So notorious is the availability of CHARGEN in printers that some distributed denial of service trojans now use UDP port 19 for their attack traffic. The supposed aim is to throw investigators off the track; to have them looking for old printers rather than subverted computers. So notorious is the availability of CHARGEN in [[Printer (computing)\|printers]] that some [[Denial-of-service attack\|distributed denial of service]] trojans now use UDP port 19 for their attack traffic. The supposed aim is to throw investigators off the track; to have them looking for old printers rather than subverted computers.{{Citation needed\|date=April 2024}} A revival in the use of CHARGEN for attack traffic in June 2013 lead Brielle Bruns to comment to the NANOG mailing list, "checks her calendar* I for a second worried I might have woken up from a 20 year long dream...." ==See also== {{Portal\|Internet}} * [[Barber pole#Computer science\|Barber pole]] * [[Echo Protocol]] * [[Discard Protocol]] * [[QOTD]] * [[Daytime Protocol]] * [[Time Protocol]] Line 65 ⟶ 175: [[Category:Application layer protocols]] ~~[[Category:Internet protocols]]~~ [[Category:Filler text]] [[Category:Telnet]]