Port 19 is where the Internet talks to itself. Connect to this port and a server will start streaming characters at you, endlessly, without purpose, without meaning, without stopping. It will keep going until you hang up. It doesn’t care what you send it. It doesn’t listen. It just generates.

This is the Character Generator Protocol, and it is exactly what it sounds like.

What Port 19 Does

CHARGEN is one of the simplest protocols ever standardized. Connect via TCP, and the server immediately begins transmitting a continuous stream of ASCII characters. No handshake. No authentication. No negotiation. Just characters, flowing like water from a tap you can’t turn off.

The UDP version is even stranger: send any datagram to port 19, and you’ll receive back a random-length response containing between 0 and 512 characters. The content of your message is ignored entirely. You knock on the door; the door screams back a wall of text.

RFC 864 even acknowledges the likely user experience: "It is fairly likely that users of this service will abruptly decide that they have had enough and abort the TCP connection, instead of carefully closing it."1 The protocol’s own specification predicts you’ll get annoyed and slam the phone down.

How the Protocol Works

The elegance of CHARGEN lies in its prescribed output pattern. RFC 864 recommends generating 72-character lines using all 95 printable ASCII characters (codes 32-126), treating them as a ring.1

Line 1 starts with character 0 and displays characters 0-71. Line 2 starts with character 1 and displays characters 1-72. Each subsequent line shifts by one position.

The result is a hypnotic rotating pattern:

Watch it scroll and you’ll see the entire ASCII alphabet marching diagonally across your screen, forever. It’s oddly beautiful, like a screen saver from before screen savers existed.

The History

Jon Postel published RFC 864 in May 1983.1 Postel was the RFC Editor from 1969 until his death in 1998, and he wrote many of the foundational documents that define how the Internet works.2 The Economist once called him "the god of the Internet," though Postel himself deflected the title: "Of course, there isn’t any ‘God of the Internet.’ The Internet works because a lot of people cooperate to do things together."3

CHARGEN was part of a family of simple diagnostic services Postel standardized that same month:

• Echo (Port 7, RFC 862): Sends back whatever you send it
• Discard (Port 9, RFC 863): Accepts anything and throws it away
• Daytime (Port 13, RFC 867): Returns the current date and time
• Quote of the Day (Port 17, RFC 865): Returns a random quote
• CHARGEN (Port 19, RFC 864): Generates endless characters

These weren’t meant to be useful services. They were diagnostic tools, ways to verify that packets could travel from A to B and back again.4 In 1983, when the ARPANET was transitioning to TCP/IP and becoming the Internet we know today, you needed simple ways to test whether your network stack actually worked.

CHARGEN answered a specific question: Can my machine receive a continuous stream of data? If you connected to port 19 and saw characters scrolling, your TCP implementation was functioning. If you sent a UDP packet and got characters back, your UDP stack worked. Simple. Elegant. Innocent.

The Problem

Here’s what Postel didn’t anticipate: the Internet would grow beyond a walled garden of researchers who trusted each other. And in that larger, wilder Internet, CHARGEN became a weapon.

The vulnerability is elegant in its horror. UDP is connectionless, which means you can lie about who you are. Send a UDP packet to port 19, but forge the source address to be your victim’s IP. The CHARGEN server doesn’t check, doesn’t care, doesn’t know. It just sends its response, up to 512 bytes of characters, to whoever the packet claims to be from.5

A 1-byte request can generate a 512-byte response. That’s amplification by a factor of 512 in payload alone.6 When you account for packet headers, a 60-byte request becomes a 1,066-byte response, an amplification factor of roughly 18x.6

Now imagine an attacker with a botnet. They send millions of tiny forged requests to thousands of CHARGEN servers around the world. All those servers dutifully respond, but they respond to the victim. The victim drowns in a flood of characters they never requested.

In April 2013, this exact attack hit financial institutions.7 Attackers flooded them with UDP port 19 traffic from CHARGEN servers across the Internet. The protocol that once tested whether networks worked was now testing whether they could be broken.

Security Considerations

CHARGEN should not be running on any Internet-facing system. Period.

The protocol has no authentication, no access control, and no legitimate modern use case that justifies the risk. Yet it persists, especially in places you might not expect:

• Network printers often ship with CHARGEN enabled by default. Printer firmware rarely gets updated, and many organizations don’t realize their printers are participating in DDoS attacks against strangers.8
• Legacy systems may still have CHARGEN enabled from decades ago when it was standard practice.
• IoT devices sometimes include CHARGEN as part of embedded Linux distributions without anyone noticing.

If you must use CHARGEN for local network testing, ensure it’s blocked at your firewall. Better yet, use modern diagnostic tools instead. The ping command tests connectivity. iperf measures throughput. There’s no reason to leave a 1983 character generator running.

Organizations implementing BCP 38 (network ingress filtering) can help prevent their networks from being used as amplification sources by blocking packets with spoofed source addresses.6

Related Ports

Port 19 belongs to a family of simple diagnostic services from the same era:

Port	Protocol	RFC	Purpose
7	Echo	862	Returns what you send
9	Discard	863	Accepts and discards all data
13	Daytime	867	Returns current date/time
17	QOTD	865	Returns a random quote
19	CHARGEN	864	Generates endless characters

All were designed for testing. All are considered obsolete. All should be disabled on production systems.4

What Flows Through Port 19

Almost nothing legitimate anymore. If you see traffic on port 19 today, it’s almost certainly one of three things:

1. Reconnaissance: Attackers scanning for CHARGEN servers to add to their amplification arsenal
2. Active attacks: Spoofed requests being bounced off your server toward victims
3. Misconfiguration: A forgotten service that should have been disabled years ago

The Shadowserver Foundation maintains lists of open CHARGEN servers visible on the Internet, tracking them as potential DDoS vectors.8 Being on that list is not a distinction anyone wants.

The Meditation

There’s something strangely poignant about CHARGEN. It was designed to do one thing: generate characters. Not useful characters. Not meaningful characters. Just characters, in a beautiful rotating pattern, streaming forever into the void.

Jon Postel built it as a test: Can this machine receive data? But in a deeper sense, it tests something else. It tests whether a network can simply be present, continuously transmitting, without purpose or payload, just existing.

Connect to a CHARGEN server and watch the characters scroll. Each one was generated for you, by a machine following a 40-year-old specification, because you asked. The machine doesn’t know why you asked. It doesn’t care. It just generates.

In a world of APIs and authentication and encrypted tunnels, there’s something almost meditative about a protocol that does nothing but exist, streaming characters into the darkness until someone decides they’ve had enough.