1. Home
  2. Network Vulnerabilities
  3. How to remediate – Chargen UDP Service Remote DoS
Searching...

How to remediate – Chargen UDP Service Remote DoS

Contents

1. Introduction

The ‘Chargen UDP Service Remote DoS’ vulnerability affects systems running a chargen service, which is an unused protocol testing tool. An attacker can exploit this to cause denial of service either directly against the affected host or use it as part of an attack on another system. This impacts availability by saturating network bandwidth and slowing down machines.

2. Technical Explanation

The chargen service responds with random characters when contacted, sending a single UDP packet in response to UDP requests and continuously spewing data until the connection is closed over TCP. Attackers can exploit this by spoofing packets between two machines running chargen, causing them to flood each other with data – known as a ‘ping-pong’ attack. This saturates network resources and slows down both systems. The vulnerability is tracked as CVE-1999-0103.

  • Root cause: The chargen service continues to respond to requests without rate limiting or authentication, making it susceptible to abuse.
  • Exploit mechanism: An attacker sends UDP packets with spoofed source addresses pointing to another system running chargen. This causes both systems to send data back and forth indefinitely.
  • Scope: Unix and Windows systems running the chargen service are affected.

3. Detection and Assessment

You can confirm if a system is vulnerable by checking for the presence of the chargen service and its configuration.

  • Quick checks: Use the following command to check if the service is listening on UDP port 19/chargen: netstat -an | grep .19
  • Scanning: Nessus vulnerability ID f0dbdf05 can detect this issue. This is an example only, and other scanners may also provide detection capabilities.
  • Logs and evidence: Check system logs for excessive network traffic originating from or destined to port 19.
netstat -an | grep .19

4. Solution / Remediation Steps

Disable the chargen service to prevent exploitation. The following steps provide instructions for both Unix and Windows systems.

4.1 Preparation

  • Changes require a brief maintenance window, and approval may be needed depending on your organisation’s change management policies.

4.2 Implementation

  1. Step 1: Under Unix systems, comment out the ‘chargen’ line in /etc/inetd.conf using a text editor (e.g., vi or nano).
  2. Step 2: Restart the inetd process to apply the changes. Use the command service inetd restart or /etc/init.d/inetd restart, depending on your system’s init system.
  3. Step 3: Under Windows systems, set the following registry keys to 0 using regedit: HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableTcpChargen and HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableUdpChargen.
  4. Step 4: Launch cmd.exe as an administrator and type the following commands to restart the service: net stop simptcp followed by net start simptcp.

4.3 Config or Code Example

Before

chargen stream tcp nowait root /usr/sbin/in.chargend chargend

After

#chargen stream tcp nowait root /usr/sbin/in.chargend chargend

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue.

  • Practice 1: Least privilege – running services with minimal necessary permissions reduces the impact if they are compromised.
  • Practice 2: Safe defaults – disabling unused or unnecessary services by default minimizes the attack surface.

4.5 Automation (Optional)

Automation is not recommended for this specific vulnerability due to its simplicity and low risk of unintended consequences. Manual configuration changes are preferred.

5. Verification / Validation

Confirm the fix by verifying that the chargen service is no longer listening on UDP port 19, and re-running the initial detection method.

  • Post-fix check: Run netstat -an | grep .19. The command should return no results if the service has been successfully disabled.
  • Re-test: Re-run the quick check from Section 3. It should not detect the chargen service listening on port 19.
  • Monitoring: Monitor system logs for any unexpected network traffic originating from or destined to port 19, which could indicate a regression.
netstat -an | grep .19

6. Preventive Measures and Monitoring

Update security baselines and policies to include disabling unused services like chargen. Consider adding checks in your CI/CD pipeline to prevent the re-enablement of such services during deployments.

  • Baselines: Update a security baseline or policy (for example, CIS control 1.2) to explicitly disable unnecessary services.
  • Pipelines: Add checks in CI or deployment pipelines to ensure that unused services remain disabled.
  • Asset and patch process: Review system configurations regularly to identify and disable any other unnecessary services.

7. Risks, Side Effects, and Roll Back

  • Risk or side effect 1: No known risks are associated with disabling this service.
  • Roll back: To re-enable the service on Unix systems, remove the ‘#’ comment from the ‘chargen’ line in /etc/inetd.conf and restart the inetd process. On Windows systems, set the registry keys HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableTcpChargen and HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableUdpChargen to 1 and restart the simptcp service using net stop simptcp followed by net start simptcp.

8. References and Resources

Links only to sources that match this exact vulnerability. Use official advisories and trusted documentation. Do not include generic links.

  • Vendor advisory or bulletin: No specific vendor advisory is available for this general issue.
  • NVD or CVE entry: CVE-1999-0103
  • Product or platform documentation relevant to the fix: No specific product documentation is available, as this issue relates to a general service configuration.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles