A handful of protocols are widely implemented for no apparent reason except that:
They're easy to implement.
They're standards.
They might come in handy every so often for testing something.
These include chargen, echo, and discard. chargen (character generator) is a server that babbles. When you connect to it, it produces characters in an endless stream until you go away again (if you send it UDP, it sends you back a single UDP packet with random characters in it). echo simply echoes back any data you send it; discard even more simply discards all data you send it. It's easy to see that these might in fact be useful for administrative and testing purposes, but in practice they don't come up much. They sat around for years being apparently harmless if pointless curiosities, enabled by default on almost all Unix machines and used on rare occasions for network testing. Then various people found interesting ways to pervert them (forge a packet from one machine's echo server to another, creating a vicious circle, for instance), and they became noteworthy. It has never been advisable to allow them (if you don't need services, don't turn them on—and you don't need any of these), but now it's actually important to turn them off.
Interestingly, not long after echo became dangerous, it started to be used for relatively benign purposes as well. Web sites (most notably, the advertisement servers at doubleclick.net) periodically attempt to use echo to determine round-trip times and choose the closest server to a given client. TCP-based echo is used instead of the ICMP echo used by ping in order to get responses more like those that TCP-based HTTP will get. Although these attempts are benign, there is no reason to allow them; they are not required in order for services to work. You do need to be aware that you will probably see logs of discarded echo traffic, which do not indicate hostile acts.
Given that chargen, echo, and discard are ancient and rarely used, you might expect that Microsoft's relatively modern implementation of TCP/IP services would omit them, but in fact these services are all bundled as part of the "Simple TCP/IP Services" service on Windows NT. This also includes the equally unused daytime and quotd services. daytime produces a human-readable date and timestamp; quotd (quote of the day) produces a quote (in Windows NT's case, from an extremely small quotes file). They are both genuine and widely implemented services but are even less used than the others.
Many of these services are provided by the operating system on Cisco routers as well and should be disabled as part of router configuration.
All of these services work on both TCP and UDP. chargen is at port 19, echo is at port 7, discard is at port 9, daytime is at port 13, and quotd is at port 17.
Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
In | Ext | Int | UDP | >1023 | 19, 7, 9, 13 or 17 | [63] | Request, external client to internal server |
Out | Int | Ext | UDP | 19, 7, 9, 13, or 17 | >1023 | [63] | Response, internal server to external client |
Out | Int | Ext | UDP | >1023 | 19, 7, 9, 13 or 17 | [63] | Request, internal client to external server |
In | Int | Ext | UDP | 19, 7, 9, 13, or 17 | >1023 | [63] | Response, external server to internal client |
In | Ext | Int | TCP | >1023 | 19, 7, 9, 13, or 17 | [67] | Request, external client to internal server |
Out | Int | Ext | TCP | 19, 7, 9, 13, or 17 | >1023 | Yes | Response, internal server to external client |
Out | Int | Ext | TCP | >1023 | 19, 7, 9, 13, or 17 | [67] | Request, internal client to external server |
In | Int | Ext | TCP | 19, 7, 9, 13, or 17 | >1023 | Yes | Response, external server to internal client |
[63] UDP has no ACK equivalent. [67] ACK will not be set on the first packet (establishing connection) but will be set on the rest. | |||||||
While it would be theoretically quite easy to proxy most of these protocols (the proxy for discard is particularly simple to write), the sheer pointlessness of doing so means that proxies for them are not widely available. In particular, on the rare occasions when chargen, echo, and discard are used, they're used to gather data about network performance, which will be obscured if a proxy is in the transaction.
None of these protocols include embedded IP addresses; they will all work with straightforward network address translation.