How to Decimate Scanners With Bo2k

[The Pull]

Situation: A shithead is scanning millions of systems. When he scans
your ports for netbus, subseven, NNTP servers, SOCKS, etc and the
scanner locks up, and crashes... it might even crash his system bringing
it to a 100% full processor usage pretty quickly... and if he has left
his scanner going while he sleeps, when he wakes up he finds his
processor is still smoking amongst the charred remains of his
motherboard.

Pseudo-Urban legend... or a reality?

A reality.

Believe it.... or not.

How to do this to them?

..............................................

Perhaps it goes something like this:

Bo2k works really well with IP redirection... and, it is really the only
safe remote administration tool to run on your system of its' kind...

(Meaning, it doesn't overload the processor when listening on multiple
ports for redirection.)

Anyway, when scanning a system, for vulnerabilities, a service that
spews out endless, looping data really fast on port 19 made me think of
this because it would halt my scanner - bringing the CPU to 100%-
everytime I got to it...

(In effect, the scanner doesn't have bounds checking and is just trying
to bring back the header, ie "Subseven v2.1 ready", "Sendmail 8.0.9",
etc. Instead what is brought back is "xxxxxxxx... ad infinitum".)

Here is what to do to seriously fuck up most scanners: go through your
firewall logs for all of the most common scans and attacks on your
system, grab the port numbers and then run bo2k on your system. Reroute
these ports on your system to your localhost on a port that is
configured to spew out this sort of endless data. On Windows 2000 this
is the aforementioned port 19.... you could otherwise put a netcat on a
port, run it in detached mode to execute a batch file that echoed, say
multiple dictionary files or whatever. (I don't know how safe that is,
you could also write a little C app that used stdout in a endless loop
with something really obnoxious and have nc run that on a port... I
don't know about the security implication's of that... there may be a C
app out there you can find that does this sort of thing, and if it is
Unix, build it with Cygnus' free software at www.cygnus.com.)

The Pull.

[skaminoff]

Rockin! I knew I had been saving those firewall logs for some
reason... now I'm gonna' put them to use.

skaminoff

On Sun, 09 Jan 2000 14:36:04 GMT, The Pull <osio...@my-deja.com>
wrote:

[The Pull]

You should be able to enable chargen (port 19) in the registry, if it is not
enabled. Be aware that it can be used against... however, you can also find
a lot of other uses for it.

The Pull.

[The Pull]

Oh, and lastly, on that the technique used was to issue this command "telnet
host 19 | telnet host 53". That pipes the output from port 19 to 53, which was a
buggy DNS - this was about three years ago. But, besides answering typical
scanners with it, you should be able to use the above method, "telnet host port
| telnet host port" to goof with someone on various ports, ICQ, FTP, etc... and
see what happens.

This can cause horrible bandwidth problems, so maybe I shouldn't say that.

(also, there was the denial of service by repeatedly accessing chargen... this
might work again, but I doubt it, guess I will hae ta try).

[Bill Katz]

Ox, Ox, Ox,

I do indeed like this one, you are indeed the man!

I get hit about 4-5 times a day by scanners and I really always wanted
to do something about it, heh, this may actually rouse me from my coding
lethargy and make me fire up a compiler.

I think I can hack my way through a couple of lines of C to spit out
random #'s or something to stdio, but what is the NC thing you mentioned
to re-direct that to a port, or might there not be a really "clean" way
to deliver a stream to BO? Heck, maybe I'll try it in Java, then it is
X-platform, besides I'm pretty sure Java can open a network socket,
maybe you can directly link it to the port on BO that you want to
re-direct with?

Bill

[The Pull]

Chargen is the thing... I tried doing it with a batch file, spitting shit
out, and it was really slow comparatively... NC... that' netcat they have it
for Unix and Windows (Dildog or Mudge coded it for Windows).

I guess C could spit out shit as Chargen does, assembly would probably be
faster and take up less resources... but, it is such a simple thing, that
probably doesn't matter. The C compiled code will probably be clean and
sharp.

Still, Chargen is standard on Unix and on Windows (NT and 2000, at least)...
it is on port 19, TCP and UTP. Someone just coded a "good", supposedly, port
redirector for Unix see the Tools section of www.securityfocus.com. That can
probably be compiled under Windows through Cygwin.

I have been using Unix OS's (yeah, Linux and Free and OpenBSD) for a few
years now, off and on, and I don't recall it being set up by default... but
it should be with your OS.

Chargen has been in use for awhile, so you can expect it to hae been updated
for possible exploits against it. I think it is chargend, is the program
name under Unix.

What does it officially do? It is for testing for packet drops. It litrally
takes up ALL of your available bandwidth on that system. When a scanner hit
my system (and I have that set up, the read out shows the endless feed -
which the scanner can not begin to keep up with.)

The Pull.

[Bill Katz]

Pull (Ox)

Cool dude, I will fire up the Redhat CD and see what I can find, though
I still think you are right, a tight loop in C should do the job. Never
seen securityfocus before, thanks for the tip, also hopefully there is a
man page on netcat.

Bill

[The Pull]

Sure, there's a man page on netcat (perhaps run merely by "nc"), and plenty
of doc's... just check freshmeat for it if neccesary.

Da Pull.