So this weekend, i used a DSL without any NAT, so my laptop was assigned a public IP by DHCP. My ulog log was spitting a lot, mainly on tcp port loc-srv / 135. Instead of sending REJECT, i opened my iptables and started the following ruby program to actually open all these connections. When someone sends me a SYN, I reply politely.

require 'socket'
require 'etc'

nobody = Etc.getpwnam('nobody')
loc_srv = Socket::getservbyname('loc-srv')

Dir.chroot('/var/run/empty')
Dir.chdir('/')

server = TCPServer.new(loc_srv)

Process::UID.change_privilege(nobody.uid)

print <<"EOF"
uid/euid #{Process.uid}/#{Process.euid}                                                                                                        
chrooted in #{Dir.pwd}                                                                                                                         
listening on address #{server.addr.inspect}                                                                                                    
EOF

clients = []

loop do
  begin
    client = server.accept_nonblock
  rescue Errno::EAGAIN, Errno::ECONNABORTED, Errno::EPROTO, Errno::EINTR
    IO.select([server])
    next
  end

  # remember client so the connection stays opened                                                                                             
  clients << client
  print "#{client.peeraddr.inspect} connected\n"
end

This script needs to be started with some privileges in order to bind on 135, but then it drops its priv and chroot to somewhere safe. That was very instructive, after ~10minutes, ss | grep -c loc-srv was reporting more than 280 connections from ~80 differents hosts.

What a storm. I'm definitely safe under my GNU+Linux umbrella :)

And Ruby is fun :)