I’ve read an article which describes how to simulate the close ports as open in Linux by eBPF. That is, an outside port scanner, malicious actor, will get tricked to observe that some ports, or all of them, are open, whereas in reality they’ll be closed.
How could this be useful for the owner of a server? Wouldn’t it be better to pretend otherwise: open port -> closed?
pseudo honeypot ip blocker. you could auto drop traffic from people sniffin where/when they should not be
Would it even need to pretend it is open? If it can fake a port being open then it can tell when a close port is being pinged. So can outright block connections from those IPs without ever pretending it is open?
sure, if you want to be that black and white about it… but with this you maybe could glean more information about the attempt and have more granular logic.
What extra information could you gather? Note I assume we are talking about a fake open port here, not an active service listening on a port that can communicate with the attacker. That could be done without eBPF though - so what advantage would eBPF have here?
And I assume this is more on the level of responding to pings than creating full connections? At which point you are only dealing with a single packet from the sender. So what value does responding give you here?
Presumably, OP doesn’t know the concept of a honeypot, so: https://en.wikipedia.org/wiki/Honeypot_(computing)
Basically, it’s a decoy system, which an attacker will likely target.
You can’t pretend an open port is closed, because an open port is really just a service that’s listening. You can’t pretend-close it and still have that service work. The only thing you can do is firewalling off the entire service, but presumably, any competent distro will firewall off all services by default and any service listening publicly is doing so for a good reason.
I guess it comes down to whether they feel like it’s worth obfuscating port scan data. If you deploy that across all of your network then you make things just a little bit more annoying for attackers. It’s a tiny bit of obfuscation that doesn’t really matter, but I guess plenty of security teams need every win they can get, as management is always demanding that you do more even after you’ve done everything that’s actually useful.
You can’t pretend-close it and still have that service work.
indeed, a service on a port would no longer properly work. However, pretending that an open port is closed is possible the same way when pretending that’s open
Can you please kindly link to that article, if it’s publicly available?
Possibly to confuse os detection. Not sure if it would be sufficient though.
Maybe a port that is actually open doesn’t look as interesting
From an attacker perspective you would do a quick scan to find open ports, then focus on those ports with more expensive/slower scans to find out what is running on those ports. If everything reports open then what ports do you focus on first? So not so much that actually open ports are less interesting, but that actually open ports are harder to find among all the ports.
Do you youself understand what you’re talking about?
then focus on those ports with more expensive/slower scans to find out what is running on those ports.
What do you mean by “focus on those ports”? What are “more expensive/slower scans”?
If everything reports open
not every port gets reported to be open but only some of them
what ports do you focus on first?
me? or an attacker? he could work with any ports he wishes
