Chargen (UDP port 19)

Chargen is a service that is usually enabled by accident. There are no real legitimate reasons for this service to be exposed to the internet.

Windows

On Windows, Chargen is run through Simple TCP/IP Services. If you don't need any of the services that this provides (and most people do not), removing this feature is the most reliable way of fixing the issue.

To remove Simple TCP/IP Services:
  1. In the Control Panel, open 'Turn Windows Features on or off'
  2. Uncheck the box next to 'Simple TCPIP services (i.e. echo, daytime, etc)'
  3. Click OK

To just disable chargen:
  1. Open the registry editor, and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTCP\Parameters\
  2. Change EnableUdpChargen to 0 (or create this as REG_DWORD if it does not exist)
  3. Close the registry editor, and open a command prompt (cmd.exe)
  4. Run: net stop simptcp
  5. Run: net start simptcp

If you cannot do either of these:
  1. Create a firewall rule to block inbound UDP port 19 packets


Linux

On Linux, Chargen is usually run through xinetd.

To disable chargen:
  1. Open /etc/xinetd.d/chargen-dgram (this path may vary depending on your operating system)
  2. Add the following line after the first {
    disable = yes
  3. Remove any other disable lines and save the file
  4. Restart xinetd with
    service xinetd restart

If you cannot disable chargen:
  1. Create a firewall rule blocking inbound UDP port 19. For example
    iptables -I INPUT 1 -p udp -m udp --dport 19 -j DROP
  2. Make sure this firewall rule is applied on boot (the process for this varies depending on operating system)


More information


DNS (UDP Port 53)

DNS is used to resolve domain names to IP addresses. When a DNS server is configured to accept recursive queries, it can be abused to conduct DDOS attacks.

Windows

The Windows DNS server only permits very basic filtering. If you do not need to run an recursive server then you can simply disable recursion. If you do need to run a recursive server, you would need to add firewall rules to restrict it to only your IP addresses. Note that recursive servers are only used by clients. If you are only using your DNS server to run DNS for domain names, you usually don't need a recursive server.

To remove the DNS server entirely:
  1. Within 'Server Manager' click 'Remove Roles'
  2. Check the box next to 'DNS Server'
  3. Click Next

To disable recursive DNS:
  1. Open 'Server Manager'
  2. Expand Roles -> DNS Server -> DNS -> (Your Server's Name)
  3. Right click on your server name, choose Properties
  4. On the 'Advanced' tab, select 'Disable recursion (also disables forwarders)'
  5. Click OK

If you cannot do either of these:
  1. Create a firewall rule to block inbound UDP port 53 packets
  2. Make sure that you whitelist your upstream DNS servers, as well as any client machines that may be using your server


Linux

On Linux, DNS is run through a number of different tools. Restricting this via a firewall is the best option if you cannot determine what tool you are using.

To disable recursion for BIND 9.x:
  1. Open your BIND configuration file
  2. Make sure you have the following options set:
    options {
    	recursion no;
    	additional-from-cache no;
    };
    

To disable recursion for DNSMasq:


If you cannot make the necessary changes:
  1. Create a firewall rule blocking inbound UDP port 53. Make sure to allow your upstream DNS servers.
  2. For example
    iptables -I INPUT 1 -s 8.8.8.8 -p udp -m udp --dport 53 -j ACCEPT
    iptables -I INPUT 2 -s 8.8.4.4 -p udp -m udp --dport 53 -j ACCEPT
    iptables -I INPUT 3 -p udp -m udp --dport 53 -j DROP


More information


SNMP (UDP Port 161)

SNMP is used to monitor and manage various network devices. With the default password (aka community string) an attacker can use the SNMP service to conduct DDOS attacks, or reveal configuration information about the machine running it. Some system monitoring services may use SNMP, but you always make sure to secure it.

Windows

On Windows, SNMP is run through the 'SNMP' service.

If you do not require SNMP, you can remove the service:
  1. In the Control Panel, open 'Turn Windows Features on or off'
  2. Uncheck the box next to 'SNMP Service'
  3. Click OK

If you do require SNMP, change the default password:
  1. Open Control Panel -> Administrative Tools -> Services
  2. Find 'SNMP Service', right click it, and choose Properties
  3. On the Security tab, click the 'Add' button near 'Accepted community names'
  4. Enter a secure password for this (do not reuse any existing password)
  5. Make sure to remove any insecure passwords (default values such as 'public' or 'private' are commonly abused)
  6. Click OK
  7. Restart the SNMP service

If you cannot do either of these:
  1. Create a firewall rule to block inbound UDP port 161 packets


Linux

On Linux, SNMP is commonly run through the net-snmp library.

If you do not require SNMP, you can remove the service:

If you do require SNMP, change the default password:
  1. Open your snmpd.conf file (usually /etc/snmp/snmpd.conf)
  2. Find the line that looks like this:
    com2sec notConfigUser  default       public
    (the line will begin with com2sec, and end with a password. In this case it's 'public')
  3. Change the 'public' at the end of the line to a secure password
  4. Save the file and restart the SNMP server:
    service snmpd restart

If you cannot disable chargen:
  1. Create a firewall rule blocking inbound UDP port 161. For example
    iptables -I INPUT 1 -p udp -m udp --dport 161 -j DROP
  2. Make sure this firewall rule is applied on boot (the process for this varies depending on operating system)


More information


NTP (UDP Port 123)

NTP is used to ensure that a machine's time is correct. If it's misconfigured, it can be exploited to conduct DDOS attacks.

Windows

With the default Windows NTP client/server, your only option is to restrict NTP access with a firewall.
  1. Create a firewall rule to block inbound UDP port 123 packets
  2. Make sure you allow your upstream time server (run `w32tm /query /peers` via command prompt to see what they are)


Linux, FreeBSD

On Linux and FreeBSD, the most common NTP client/server is NTPD. You generally do not want to remove this service, so instead the configuration must be updated.

To prevent your NTP server from being abused:
  1. Open your ntp.conf file (generally /etc/ntp.conf)
  2. Remove any existing lines that being with 'restrict', and replace them with:
    restrict default kod limited nomodify notrap nopeer noquery
    restrict -6 default kod limited nomodify notrap nopeer noquery
    restrict 127.0.0.1
    restrict -6 ::1
  3. Restart your NTP server: `service ntpd restart` or `service ntp restart`

If you cannot make these changes:
  1. Create a firewall rule blocking inbound UDP port 123. For example
    iptables -I INPUT 1 -p udp -m udp --dport 123 -j DROP
  2. Make sure to add ALLOW rules for the actual NTP servers your server is configured to use
  3. Make sure this firewall rule is applied on boot (the process for this varies depending on operating system)


Supermicro IPMI controllers:

Some old revisions of the Supermicro IPMI firmware are poorly configured and allow this exploit to happen. Upgrading the IPMI firmware should help, or you would need to apply firewall rules upstream of the IPMI controller.

More information


If you find any errors on this page, please let us know: abusereports AT gameservers.com