Vulnerability Development mailing list archives

Re: Remote exploitation of network scanners?

From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Sat, 26 Aug 2000 19:28:14 +0800

At 12:30 PM 8/25/00 -0700, Ricardo Anguiano wrote:

Hello,

I investigated this very thing.  Netbus freezes if you send it a stream
of ascii characters such as chargen would.  You have to give it a three
finger solute and kill the process/thread.  nmap, was ok if I remember
correctly. I did not test other scanners.


That sounds interesting. There are a few popular trojan scans endemic in
the networks of one of my ISPs. And that ISP doesn't seem to be taking much
or any action - just an automated response to email. Getting rather
tempting to zap them kiddies :).

I thought writing a little daemon to connect to unused ports and flood
the port whenever connected to by "strangers" outside your regular
domain (don't flood your officemates scanning your machine, or your mail
server connecting on the ident port) but I didn't get around to


I'd just stick to a few popular ports. Maybe activate them on demand. This
just for those trojan scans. Nmap-style full scans should be treated
differently I think.

flooding data to each ip address.  I would hate to get tricked into
flooding some innocent.  How do you keep this scanner killer from
becoming a DoS tool?  I didn't have an answer.  The scanners are not


If it's TCP it's not such a big problem, since exposed O/S should be hard
to TCP spoof.

For UDP, that could be an issue - could end up being a target of a
sophisticated fraggle if one is not careful and allows flooding gain -
output greater than input.

However what I'm thinking of is not so much a raw long stream of data.
Rather something that looks like input which the scanner will take and then
choke on. So if the attacker scans a whole range of IP addresses I am
listening on, I could just send a few kilo bytes back and then run sleep
for maybe a minute. If I am being spoofed, the few packets won't do
anything to the 3rd party machine because they won't be listening on that
port. And there won't be any gain for bandwidth flooding - the attacker
might as well do things directly.

For udp one could probably settle for a single perl script to send data
when various criteria are met- I don't need to fork/thread - since I'm
intending to deal with only one "client" at a time ;).

Cheerio,
Link.

Current thread:

Packet Fragmentation Attacks Max (Aug 24)
- Re: Packet Fragmentation Attacks Mikael Olsson (Aug 25)
- Remote exploitation of network scanners? Lincoln Yeoh (Aug 25)
  - Re: Remote exploitation of network scanners? Paul Cardon (Aug 25)
  - Re: Remote exploitation of network scanners? Marc Maiffret (Aug 25)
  - Re: Remote exploitation of network scanners? Ricardo Anguiano (Aug 25)
    - Re: Remote exploitation of network scanners? Bluefish (P.Magnusson) (Aug 26)
    - Re: Remote exploitation of network scanners? Lincoln Yeoh (Aug 26)
    - Re: Remote exploitation of network scanners? Ricardo Anguiano (Aug 26)
    - Re: Remote exploitation of network scanners? Ryan Sweat (Aug 26)
  - Re: Remote exploitation of network scanners? Adam Prato (Aug 25)
    - Re: Remote exploitation of network scanners? Fyodor (Aug 26)
    - Re: Remote exploitation of network scanners? Marshall Beddoe (Aug 26)
  - Re: Remote exploitation of network scanners? Cashdollar, Larry (Aug 25)
  - Re: Remote exploitation of network scanners? Renaud Deraison (Aug 26)
  - Re: Remote exploitation of network scanners? antirez (Aug 26)
    - Re: Remote exploitation of network scanners? Domenico De Vitto (Aug 30)
    - Re: Remote exploitation of network scanners? Bluefish (P.Magnusson) (Aug 31)