I’ve read an article which describes how to simulate the close ports as open in Linux by eBPF. That is, an outside port scanner, malicious actor, will get tricked to observe that some ports, or all of them, are open, whereas in reality they’ll be closed.

How could this be useful for the owner of a server? Wouldn’t it be better to pretend otherwise: open port -> closed?

  • nous@programming.dev
    link
    fedilink
    English
    arrow-up
    6
    ·
    3 months ago

    Would it even need to pretend it is open? If it can fake a port being open then it can tell when a close port is being pinged. So can outright block connections from those IPs without ever pretending it is open?

    • originalucifer@moist.catsweat.com
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      sure, if you want to be that black and white about it… but with this you maybe could glean more information about the attempt and have more granular logic.

      • nous@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        3 months ago

        What extra information could you gather? Note I assume we are talking about a fake open port here, not an active service listening on a port that can communicate with the attacker. That could be done without eBPF though - so what advantage would eBPF have here?

        And I assume this is more on the level of responding to pings than creating full connections? At which point you are only dealing with a single packet from the sender. So what value does responding give you here?

        • dnick@sh.itjust.works
          link
          fedilink
          arrow-up
          1
          ·
          2 months ago

          At a guess, you might tell the difference between some benign scan and an attempt to actually take advantage of the port, perhaps to use as a trigger to automatically ban an ip address? or a way to divert malicious resources to an easy looking target so they are less available in other areas?

          The difference between someone scanning for open ports and someone attacking a port they find open seems significant enough to at least track and watch for patterns… Whether that’s useful for the majority of users or not is rarely why a feature is implemented.

          • nous@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            What is a benign scan? Why do you need to scan a system if you are not trying to figure out what it is running - which is something only attackers or the server admins (looking for things that should not be exposed) would want to do. Any third party scanning for open ports I would consider an attack. Though it might just be an automated system looking for weaknesses - it is still an attack.