Skip to content
ProtocolPorts

Port reference

Port 19 (UDP/TCP) – CharGEN

Character Generator — a legacy debugging service that emits a stream of characters in response to any input.

udptcpWell-known

Quick facts

Transport
udp, tcp
Category
Well-known
Risk level
High

Frequently targeted — restrict exposure and harden it.

Default state

Disabled on modern systems. Historically enabled via inetd on Unix and as a Simple TCP/IP Service on older Windows.

Common attacks

  • UDP amplification / reflection DDoS
  • Resource exhaustion via paired echo (port 7) and chargen loops

Hardening

  • Disable CharGEN entirely — it has no modern use
  • Remove Simple TCP/IP Services on Windows and the chargen line from inetd/xinetd
  • Block UDP/TCP 19 at the network edge
  • Never expose chargen to untrusted networks

nmap snippet

nmap -sU -p19 --script chargen <target>

Replace <target> with the host or range you're authorized to scan.

How to check if this port is open

Linux
ss -tulpn | grep :19
nmap -p 19 <target>
Windows
netstat -ano | findstr :19
Test-NetConnection <host> -Port 19
macOS
lsof -i :19
nmap -p 19 <target>

How to block this port

Linux (ufw)
sudo ufw deny 19/tcp
Linux (firewalld)
sudo firewall-cmd --permanent --remove-port=19/tcp
sudo firewall-cmd --reload
Linux (iptables)
sudo iptables -A INPUT -p tcp --dport 19 -j DROP
Windows
New-NetFirewallRule -DisplayName "Block 19" -Direction Inbound -Protocol TCP -LocalPort 19 -Action Block

What runs on port 19?

Port 19 carries the Character Generator Protocol (CharGEN), defined in RFC 864 as a network debugging and measurement aid. On receiving any input it returns a continuous stream of arbitrary characters (over TCP) or a packet of characters per datagram (over UDP). It was once bundled with Unix inetd and as a Windows Simple TCP/IP Service, but it has no legitimate use on modern networks.

Why it matters for security

CharGEN is dangerous purely because it still exists on forgotten hosts. The UDP variant answers any datagram with a far larger response, making it an ideal reflection and amplification vector: an attacker spoofs a victim's source address, sends tiny queries to many open chargen servers, and the responses flood the victim. Paired with the echo service on port 7, two open hosts can also be looped against each other to consume bandwidth and CPU.

How it's attacked

Attackers scan for UDP 19 and add open responders to amplification botnets. Spoofed queries reflect oversized replies at a target, contributing to volumetric DDoS. The classic chargen-echo ping-pong ties port 19 to port 7 in a self-sustaining traffic loop. Because the protocol requires no authentication, any reachable instance is immediately weaponizable.

Hardening checklist

There is no reason to run CharGEN today — disable it outright. On Windows, remove the Simple TCP/IP Services feature; on Unix, delete the chargen entry from inetd/xinetd and restart the daemon. Block UDP and TCP 19 at firewalls and edge ACLs. Use the nmap snippet above to confirm chargen is closed on hosts you are authorized to test.

Related ports

Port 7Port 13Port 17Port 53

Frequently asked questions

What is port 19 used for?
Port 19 is the Character Generator (CharGEN) protocol, a 1980s debugging tool that replies to any packet with a stream of characters. It is obsolete and should be disabled.
Why is CharGEN a DDoS risk?
A small spoofed UDP request triggers a much larger reply, so open chargen servers are abused as reflectors/amplifiers to flood third-party victims.

Related guides