How could simulating the ports as open be useful?
How could simulating the ports as open be useful?
I've read an article which describes how to simulate the close ports as open in Linux by eBPF. That is, an outside port scanner, malicious actor, will get tricked to observe that some ports, or all of them, are open, whereas in reality they'll be closed.
How could this be useful for the owner of a server? Wouldn't it be better to pretend otherwise: open port -> closed?
pseudo honeypot ip blocker. you could auto drop traffic from people sniffin where/when they should not be
Would it even need to pretend it is open? If it can fake a port being open then it can tell when a close port is being pinged. So can outright block connections from those IPs without ever pretending it is open?
Presumably, OP doesn't know the concept of a honeypot, so: https://en.wikipedia.org/wiki/Honeypot_(computing)
Basically, it's a decoy system, which an attacker will likely target.
You can't pretend an open port is closed, because an open port is really just a service that's listening. You can't pretend-close it and still have that service work. The only thing you can do is firewalling off the entire service, but presumably, any competent distro will firewall off all services by default and any service listening publicly is doing so for a good reason.
I guess it comes down to whether they feel like it's worth obfuscating port scan data. If you deploy that across all of your network then you make things just a little bit more annoying for attackers. It's a tiny bit of obfuscation that doesn't really matter, but I guess plenty of security teams need every win they can get, as management is always demanding that you do more even after you've done everything that's actually useful.
You can’t pretend-close it and still have that service work.
indeed, a service on a port would no longer properly work. However, pretending that an open port is closed is possible the same way when pretending that's open
Maybe what you're referring to is along the lines of a port being open but the software on the other side of it not sending acknowledging responses?
Maybe a port that is actually open doesn't look as interesting
how so?
From an attacker perspective you would do a quick scan to find open ports, then focus on those ports with more expensive/slower scans to find out what is running on those ports. If everything reports open then what ports do you focus on first? So not so much that actually open ports are less interesting, but that actually open ports are harder to find among all the ports.