Vulnerability Development: Re: Remote exploitation of network scanners?

[Ricardo Anguiano <anguiano () cs ucdavis edu>]

Lincoln Yeoh <lyeoh () POP JARING MY> writes:
> I'd just stick to a few popular ports. Maybe activate them on
> demand. This just for those trojan scans. Nmap-style full scans should
> be treated differently I think.
That is exactly what I did.  The "popular" ports became chargen via inetd.

> However what I'm thinking of is not so much a raw long stream of data.
> Rather something that looks like input which the scanner will take and
> then choke on. So if the attacker scans a whole range of IP addresses
> I am listening on, I could just send a few kilo bytes back and then
> run sleep for maybe a minute. If I am being spoofed, the few packets
> won't do anything to the 3rd party machine because they won't be
> listening on that port. And there won't be any gain for bandwidth
> flooding - the attacker might as well do things directly.
I like the idea of sending a trickle of seemingly legitimate traffic to
slow down scanners.  It's less bandwidth intensive.  Since this was
purely a side project (read: distraction), I did not want to start
implementing any protocols.

-Ricardo