
Spoilerwall: Respond to port scanning requests with movie spoilers - llazzaro
https://github.com/infobyte/spoilerwall
======
dsl
You have to be very careful when running this on the telnet port.

I had a server set to spew a full color ANSI Nyancat at you when you telneted
in. When the Mirai botnet was in full swing, I was pushing 5+ Mbps of Nyancat
down to peoples infected webcams and killing my servers CPU.

~~~
adrianN
Surely some enterprising hacker can optimize Nyancat so that a normal server
can saturate a gigabit connection without killing the CPU.

~~~
dsl
I can't seem to edit my post anymore, but the machine in question was a tiny
little VM used as an SSH jump host. The specs were minimal. It was the only
machine that wasn't firewalled to hell and back, which is why I did the
Nyancat there.

I'm working on deploying an enterprise grade NaaS solution across a large
cluster of servers, stay tuned!

------
haberman
If you like this, you might like Lenny, the bot designed to waste
telemarketers' time.

[https://toao.net/595-lenny](https://toao.net/595-lenny)

[https://www.youtube.com/watch?v=lryrm2CVaVg&list=PLduL71_GKz...](https://www.youtube.com/watch?v=lryrm2CVaVg&list=PLduL71_GKzHHk4hLga0nOGWrXlhl-
i_3g)

[https://www.reddit.com/r/itslenny/](https://www.reddit.com/r/itslenny/)

~~~
a_c
How does this work? There is definitely huge demand based in other languages!

~~~
EGreg
It's just a recording.

~~~
Sophira
It's a little more than that; it also incorporates silence detection so that
it waits for the caller to finish talking before 'Lenny' plays its next line.

But otherwise, yeah, it's just recordings.

~~~
a_c
It does seem natural that it is a recording with silence detection. What about
the process of choosing these specific set of dialogue? It is definitely not
chosen arbitrarily as lenny's response blend pretty well with marketer's
question. I was imagining some analysis on marketer's most used conversation
were done.

~~~
Sophira
The lines are exactly the same for each caller, played in the same order, on a
loop. The recordings are obviously tailored for telemarketer scripts, and to
string them along and make them think a conversation is going, but there's no
dynamic analysis going on.

If that's what you're saying, I apologise for misinterpreting!

------
Ankaios
How about also responding with censored Russian and Chinese news stories,
history, and the like? Seems like a decent way to respond to Kremlin
astroturfers and friends, too.

~~~
willvarfar
So Russia and China put your servers on their blacklists and you get magical
protection from hackers whose last hop comes from those countries? Excellent
mitigation :)

------
tyingq
A random mix of elevator pitches for various religions might be a better
deterrent. _Have you heard the good news?_

~~~
KekDemaga
Perhaps questions like "This statement is false", "New Mission: decline this
mission", base64 encoded copies of René Magritte's 'this is not a pipe', "God
is all powerful, can He make a rock so big that He Himself can't lift it?",
"calculate the 2nd prime number", etc to prevent automated AI attacks.

~~~
Dylan16807
> "New Mission: decline this mission"

Is that a paradox? If you accept it or have it forced on you then depending on
how you interpret the rules you either succeed or fail straightforwardly. If
you don't accept it or have it forced on you then nothing happens. There's no
loop of logic.

~~~
IncRnd
You seem like the sort of person who says, "I always lie."

~~~
Dylan16807
I like it. Because that's also not a paradox, it's just a lie.

It can be deceptively difficult to get the wording correct on a paradox.

~~~
IncRnd
In the sense that a paradox is self-contradicting, what I wrote is definitely
a paradox. Trust me. I always tell the truth, so to speak.

~~~
Dylan16807
"It's noon in Texas, and it's midnight in Texas." is also self-contradicting.
That's not enough for a paradox.

------
btown
In all seriousness, if any hacker saw this in their logs, they'd probably say
"well played" and redouble their efforts.

~~~
CodeWriter23
Yes we need to fork this into Project Spoilerwall Honeypot.

------
Animats
This is like yelling at recorded telemarketing pitches.

~~~
Brian_K_White
Plot hole.

A human responding to a machine would indeed be silly.

But this is a machine responding to a machine.

------
droithomme
If anyone is planning to use this they might want to review and clean up the
dataset. It contains many fake spoilers, as well as non-sequitor obscenities
and racist epithets.

------
TimMurnaghan
Damn it - now I can't go to see the postgres movie as I know how it ends.

PostgreSQL received invalid response to SSL negotiation: B

------
zeptomu
Quick question:

Why does

    
    
      35: chosen = random.choice(movies)
    

at
[https://github.com/infobyte/spoilerwall/blob/master/server-s...](https://github.com/infobyte/spoilerwall/blob/master/server-
spoiler.py#L35) have a reference to 'movies'. I thought one had to explicitly
pass it to the MyTCPHandler class using the server object? Or is this a
special case because of __main__?

~~~
y7
If the file gets executed as a script, then __name__ == "__main__", hence
L43:53 get executed in the top-level scope, which is also available in the
lower levels. This isn't very good writing, since this code will throw
exceptions when __name__ != "__main__" (i.e. when import-ing the file as a
module), which misleadingly defeats the purpose of having that conditional
there.

~~~
zeptomu
Ok, thanks, that makes sense. I knew that top-level variables are global, but
didn't know that variables in __main__ share this property (which is e.g.
different in the C language).

~~~
apenwarr
Usually people write an actual function called main(), and call it from the
global level conditional, to avoid this oddness. The actual function called
main() has no special meaning in python.

------
bananabill
I'll use this along with the metal band logo captcha plugin and be secure as
hell.

~~~
krylon
> metal band logo captcha plugin

(Un-)holy captcha, Batman! In retrospect, the idea is so obvious. If I ever
get myself a homepage or something, I will put that to good use. =D

------
raverbashing
Is there one that causes SSH clients trying to brute-force passwords to crash?

~~~
xfer
I have moved from port 22 long time ago.

------
krylon
> Alien vs. Predator: At the end the last guy in the cinema pissed on the
> screen before leaving.

I have never seen a movie summed up in a single sentence so well.

------
thomasdd
Now NMAP has to be rewriten to detect this crazy honey-potting style, by
utilising "spoilers.json" file :) I love Python, I just implemented this in my
HoneyPot added some connections-counters, statistic and alterting... Anyone
want to have as free open-source on github? Let me know.

------
jwilk
In a remotely similar vein, I sometimes run an open proxy that always responds
with a cow:

[https://github.com/jwilk/cowproxy](https://github.com/jwilk/cowproxy)

------
pje
> Fucked up people killing cats after a tornado

Gummo is so much more than this though

------
jerianasmith
You will make your pen testers sad. Others like movies.

------
xz0r
What if someone discovers an RCE in SocketServer?

------
Satchelmouth
Port 22, best spoiler.

------
bryanrasmussen
One word: AdvertWall

------
aquasarus
In an effort to explain what this does, I'd just like to point out how the
grammar of the title is meant to be interpreted: [Avoid being scanned] [by
spoiling movies] [on all your ports].

~~~
valbaca
Here I think the passive voice actually helps and an extra word.

Spoil movie [plots] on all your ports to avoid being scanned. {{by zombies}}

~~~
JadeNB
The title as currently (re)written, "Respond to port scanning requests with
movie spoilers", also seems quite clear.

------
acchow
I have tried to parse this sentence 10 times and do not understand. Reading
the Github README did not help at all. Can someone explain what is happening?

~~~
saulrh
This is a short program that listens on a port and responds to _any_ attempt
to connect to that port by sending back movie spoilers. The idea being that
anyone that tries to port-scan your machine will be punished by having all the
twists in all the best movies revealed.

~~~
banku_brougham
I like this explanation. But is this good network security?

~~~
ChuckMcM
I did a killclient which would send back a malformed packet to any ssh
handshake and kill the connecting client. This made the pentesters mad.
Sending them spoilers will just make the sad, and not so mad.

~~~
pbhjpbhj
Is that a feature or was that a hack. Did the same packet kill multiple
clients? More info?

~~~
ChuckMcM
It was a hack, I was getting a nice regular supply of probes from Brazillian
addresses, connect to port 22, try 5 different passwords on several different
ids ad naseum. So I hacked the openssh server to start mutating the response
packets. (very trivial genetic programming where the 'fitness' function value
was time to respond between calls, longer = better) That went on for a while
until the mutated response was somewhere around 10K bytes and then the call
would just stop. A couple of weeks after that I got DDOS'd from a Brazilian
botnet. Fail2ban cleaned that up but in practical terms it was easier to just
use fail2ban on all of that.

~~~
Crespyl
That sounds extremely interesting, do you have a write up or source code
somewhere?

I'd be interested to hear about more applications of adaptive/genetic code to
network security.

~~~
ChuckMcM
I think it sounds more complicated than it is, think of it as response
fuzzing. It is exactly like trying to find vulnerabilities in servers by
sending them fuzzed packets except in this case you're trying to find
vulnerabilities in clients by _returning_ a fuzzed packet.

------
tomswartz07
The spoiler on Port 5432 is pretty intense. :)

~~~
dom0
(They're random - different every request)

------
murcs
Why not just tarpit them? Isn't time an issue like in mail spam? If it takes
forever to scan you ... [https://sysadminblog.net/2013/08/debian-iptables-
tarpit/](https://sysadminblog.net/2013/08/debian-iptables-tarpit/)

