Cyber Security Awareness Month - Day 24 - The Small Services

Published: 2009-10-24
Last Updated: 2009-10-24 21:17:06 UTC
by Marcus Sachs (Version: 1)
1 comment(s)

The ports below 20 and also 37 are frequently called the "small services" and can be safely blocked.  For a quick review, here is what is going on down at the bottom of the port list:

tcpmux         1/tcp    #TCP Port Service Multiplexer [rfc-1078]
tcpmux         1/udp    #TCP Port Service Multiplexer
compressnet    2/tcp    #Management Utility
compressnet    2/udp    #Management Utility
compressnet    3/tcp    #Compression Process
compressnet    3/udp    #Compression Process
rje            5/tcp    #Remote Job Entry
rje            5/udp    #Remote Job Entry
echo           7/tcp    #
echo           7/udp    #
discard        9/tcp    #Discard
discard        9/udp    #Discard
systat        11/tcp    #Active Users
systat        11/udp    #Active Users
daytime       13/tcp    #
daytime       13/udp    #
netstat       15/tcp    #
qotd          17/tcp    #Quote of the Day
qotd          17/udp    #Quote of the Day
msp           18/tcp    #Message Send Protocol
msp           18/udp    #Message Send Protocol
chargen       19/tcp    #Character Generator
chargen       19/udp    #Character Generator
ftp-data      20/tcp    #File Transfer [Default Data]
ftp-data      20/udp    #File Transfer [Default Data]
time          37/tcp    #Time
time          37/udp    #Time

An interesting attack was developed many years ago using the echo and chargen ports.  echo will send back whatever characters are sent to it, while chargen will generate random characters.  By spoofing source and destination addresses/ports, it was easy to inject fake packets into a network that would generate characters from Alice's chargen port and send them to Bob's echo port, which would then echo them back to Alice's chargen which would generate more characters to send to Bob, and....I think you get the picture.  Instant denial of service attack.

Cisco's routers can enable/disable the "small servers" on those devices (echo, discard, and chargen) by using these commands:

Router(config)# service udp-small-servers
Router(config)# no service udp-small-servers

Router(config)# service tcp-small-servers
Router(config)# no service tcp-small-servers 

In Unix systems, edit the inetd.conf (or equivalent) file to comment out these services if you don't use them.  Odds are pretty good that you don't. 

If you have any additional thoughts or comments on the Small Services please let us know via our contact form, or simply add your public comments via the comment link below.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
1 comment(s)

What's with tcp/0?

Published: 2009-10-24
Last Updated: 2009-10-24 02:04:21 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

In case you did not notice, the DShield system is going nuts with reports on tcp/0.  Stephen Hall wrote a nice Cyber Security Awareness Month diary on the subject of tcp/0 earlier this month.  Did the bad guys read it and start launching probes?  Is it Akamai or some other caching service?  If you can do some full packet captures of any tcp/0 traffic hitting your firewalls let us know what you find out.  Send us your analysis via our contact page.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)

Windows 7 - How is it doing?

Published: 2009-10-24
Last Updated: 2009-10-24 01:56:37 UTC
by Marcus Sachs (Version: 1)
5 comment(s)

Microsoft's Windows 7 operating system was officially released on Thursday October 22nd.  I'm sure that many of our readers were lined up outside their local candy stores to buy an early copy.  For those who have successfully installed it, tell us about your experience.  Was it good, bad, or ugly?  Any pearls of wisdom you'd like to pass along to others?  You can comment directly by using the comment link below or you can send us a private message by using our contact form.  Either way, we'd like to hear about some early experiences.  We'll update this diary from time to time with reader comments.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: windows 7
5 comment(s)

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
6 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
6 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives