1. Home
  2. Network Vulnerabilities
  3. How to remediate – Quote of the Day (QOTD) Service Detection
Searching...

How to remediate – Quote of the Day (QOTD) Service Detection

Contents

1. Introduction

The Quote of the Day (QOTD) service is a simple network application that sends a random quote to anyone who connects to it. It runs on both TCP and UDP ports 17. Leaving this service running unnecessarily presents a medium security risk, as it can be exploited for denial-of-service attacks or used to gather information about the system. Affected systems are typically Unix-like operating systems and older Windows versions where the SimpTCP utility is enabled. A successful attack could cause network congestion and slow down affected machines.

2. Technical Explanation

The QOTD service listens for incoming connections on TCP port 17 and UDP port 17. When a connection is established (TCP) or datagram received (UDP), it sends back a quote, discarding any data sent by the client. The ‘pingpong’ attack exploits this behaviour by spoofing packets between two machines running QOTD, causing them to repeatedly send quotes to each other. This saturates network bandwidth and can overload the systems involved. CVE-1999-0103 describes this vulnerability.

  • Root cause: The qotd service is enabled by default on some systems without sufficient security considerations.
  • Exploit mechanism: An attacker sends spoofed packets to two QOTD servers, initiating a continuous exchange of quotes between them.
  • Scope: Unix-like operating systems and Windows systems with the SimpTCP utility enabled are affected.

3. Detection and Assessment

You can confirm if the service is running by checking for listening ports or examining configuration files. A thorough assessment involves network scanning to identify open port 17.

  • Quick checks: Use the following command to check for a process listening on TCP port 17: netstat -tulnp | grep :17
  • Scanning: Nessus plugin ID 28965 or OpenVAS scan config ‘tcp_qotd’ can detect this service. These are examples only.
  • Logs and evidence: Check system logs for messages related to the qotd service startup or activity. The location varies by operating system, but /var/log/syslog on Unix systems is a common place to look.
netstat -tulnp | grep :17

4. Solution / Remediation Steps

The best way to fix this issue is to disable the QOTD service. The steps differ depending on your operating system.

4.1 Preparation

  • The roll back plan is to re-enable the ‘qotd’ line in /etc/inetd.conf (Unix) or set registry keys back to 1 (Windows).
  • A change window may be needed, depending on your organisation’s policies. Approval from a system administrator might be required.

4.2 Implementation

  1. Step 1: Under Unix systems, edit the /etc/inetd.conf file and comment out the line containing ‘qotd’ by adding a ‘#’ at the beginning of the line.
  2. Step 2: Restart the inetd process using the command: sudo systemctl restart inetd or sudo service inetd restart, depending on your distribution.
  3. Step 3: Under Windows systems, open the Registry Editor (regedit).
  4. Step 4: Navigate to HKLMSystemCurrentControlSetServicesSimpTCPParameters and set EnableTcpQotd and EnableUdpQotd to 0.
  5. Step 5: Open cmd.exe as an administrator.
  6. Step 6: Stop the SimpTCP service using the command: net stop simptcp.
  7. Step 7: Start the SimpTCP service using the command: net start simptcp.

4.3 Config or Code Example

Before

# /etc/inetd.conf
qotd stream tcp nowait root /usr/bin/qotd qotd

After

# /etc/inetd.conf
#qotd stream tcp nowait root /usr/bin/qotd qotd

4.4 Security Practices Relevant to This Vulnerability

  • Practice 1: Least privilege – only run essential services and disable unnecessary ones like QOTD.
  • Practice 2: Safe defaults – configure systems with the most secure settings by default, disabling potentially vulnerable features unless specifically required.

4.5 Automation (Optional)

# Example Bash script for Unix systems:
#!/bin/bash
sed -i 's/^qotd stream tcp nowait root /usr/bin/qotd qotd/#qotd stream tcp nowait root /usr/bin/qotd qotd/' /etc/inetd.conf
systemctl restart inetd

5. Verification / Validation

Confirm the fix by checking that the QOTD service is no longer listening on ports 17 and verifying that attempts to connect fail.

  • Post-fix check: Run netstat -tulnp | grep :17. The output should be empty, indicating the service is not listening.
  • Re-test: Re-run the earlier detection command (netstat -tulnp | grep :17) to confirm that port 17 is no longer open.
  • Monitoring: Monitor system logs for any errors related to the inetd service or SimpTCP. A simple query for “qotd” should return no results.
netstat -tulnp | grep :17

6. Preventive Measures and Monitoring

Regularly review system configurations to identify and disable unnecessary services. Implement a patch management process to keep systems up-to-date.

  • Baselines: Update your security baseline or policy to include disabling the QOTD service as a standard configuration setting.
  • Pipelines: Add checks in CI/CD pipelines to scan for open port 17 during deployment and flag any instances where it is detected.

7. Risks, Side Effects, and Roll Back

Disabling QOTD should not affect other network services. However, if another service depends on it (uncommon), that service may also be affected. The roll back steps are straightforward.

  • Roll back: 1) Under Unix systems, remove the ‘#’ from the ‘qotd’ line in /etc/inetd.conf. 2) Restart the inetd process using sudo systemctl restart inetd or sudo service inetd restart. 3) Under Windows systems, set EnableTcpQotd and EnableUdpQotd back to 1 in the Registry Editor and restart the SimpTCP service.

8. References and Resources

  • Vendor advisory or bulletin: No specific vendor advisory is available for this general vulnerability
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles