3.12 The Small Services
The small services are chargen, daytime, discard, echo, and time. These services are generally used for maintenance work, and are quite simple to implement. In UNIX systems, they are usually processed internally by inetd.
Because they are simple, these services have been generally believed to be safe to run: They are probably too small to have the security bugs common in larger services. Because they are believed to be safe, they are often left turned on in hosts and even routers. We do not know of any security problems that have been found in the implementation of these services, but the services themselves do provide opportunities for abuse via denial-of-service attacks. They can be used to generate heavy network traffic, especially when stimulated with directed-broadcast packets. These services have been used as alternative packet sources for smurf-style attacks. See Section 5.8.
Generally, both UDP and TCP versions of these services are available. Any TCP service can leak information to outsiders about its TCP sequence number state. This information is necessary for IP spoofing attacks, and a small TCP service is unaudited and ignored, so experiments are easy to perform.
UDP versions of small services are fine sources for broadcast and packet storms. For example, the echo service returns a packet to the sender. Locate two echo servers on a net, and send a packet to one with a spoofed return address of the other. They will echo that packet between them, often for days, until something kills the packet. Several UDP services will behave this way, including DNS and chargen.
Some implementations won't echo packets to their own port number on another host, though many will. BSD/OS's services had a long list of common UDP ports they won't respond to. This helps, but we prefer to turn the services off entirely and get out of the game. You never know when another exploitable port will show up.
The storms get much worse if broadcast addresses are used. You should not only disable the services, you should also disable directed broadcast on your routers. (This is the default setting on newer routers, but you should check, just to be sure.)