Port 7 (TCP/UDP) – Echo Protocol

What runs on port 7?

Port 7 is the default for the Echo Protocol (RFC 862), one of the original simple TCP/IP diagnostic services. The server simply echoes back any bytes sent to it, on both TCP and UDP. It was designed to verify basic connectivity and round-trip behavior. Modern operating systems ship it disabled, but it still lingers in legacy Unix inetd configurations, older network appliances, and some printers.

Why it matters for security

Echo provides no authentication and no useful function today, yet it can be weaponized. Because the UDP variant replies to any source address, an attacker who spoofs a victim's IP turns the echo server into a reflector, bouncing traffic at the target. It is a classic ingredient in reflection and amplification DDoS, and it wastes resources on the host running it.

How it's attacked

The signature abuse is UDP reflection: spoofed-source packets cause replies to flood a victim. Echo is frequently paired with chargen (port 19) — connecting one server's echo to another's character generator creates a self-sustaining packet storm that saturates links between the two hosts. Attackers scan for these legacy services precisely because they are easy to abuse and rarely needed.

Hardening checklist

Disable the echo service in inetd/xinetd and remove any equivalent "simple services" on routers, switches, and printers. Block TCP and UDP port 7 inbound at the perimeter, and apply BCP 38 ingress filtering so spoofed-source floods cannot originate from or reflect through your network. Use the nmap snippet above to confirm whether echo is exposed on hosts you are authorized to test.