Guide to QOTD Amplification Issues

Description

Quote of the Day (QOTD) is a service running on port 17. It returns the quotation of the day, which is a message composed of one of multiple lines.
Attackers can use QOTD to launch denial of service attacks. (The Bandwidth Amplification Factor is about 140.3. Ref: http://www.us-cert.gov/ncas/alerts/TA14-017A )

How to test if your server/device is vulnerable

If the quote is returned, this means that the server is vulnerable. (Replace xx.xx.xx.xx by your server's IP address):

# telnet xx.xx.xx.xx 17

Example of output for a vulnerable server:
    Trying xx.xx.xx.xx...
    Connected to xx.xx.xx.xx.
    Escape character is '^]'.
    "The secret of being miserable is to have leisure to bother about whether
    you are happy or not. The cure for it is occupation."
    Connection closed by foreign host.

Another method using nmap:

# sudo nmap -sU -PN -p17 xx.xx.xx.xx

Example of output for a server not vulnerable:
    Starting Nmap 6.40 ( http://nmap.org ) at 2015-00-00 00:00 EDT
    Nmap scan report for xx.xx.xx.xx
    Host is up.
    PORT STATE SERVICE
    17/udp open|filtered qotd
    Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds


Resolution:

OPTION A

Disable the service or ports, unless they are needed.

Unix
To disable QOTD when started from inetd:

  1. Edit the /etc/inetd.conf (or equivalent) file.
  2. Locate the line that controls the qotd daemon.
  3. Type a # at the beginning of the line to comment out the daemon.
  4. Restart inetd.

Windows
Set the following registry keys to 0:

HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd

Then launch cmd.exe and type the following commands to restart the service:

net stop simptcp
net start simptcp

 

OPTION B

Configure the firewall to block port 17 (UDP and TCP).

Additional references:

RFC 865: http://tools.ietf.org/html/rfc865
http://xforce.iss.net/xforce/xfdb/8567
http://www.securityspace.com/smysecure/catid.html?id=10198
http://www.us-cert.gov/ncas/alerts/TA14-017A
http://en.wikipedia.org/wiki/QOTD

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk