I’ve read an article which describes how to simulate the close ports as open in Linux by eBPF. That is, an outside port scanner, malicious actor, will get tricked to observe that some ports, or all of them, are open, whereas in reality they’ll be closed.
How could this be useful for the owner of a server? Wouldn’t it be better to pretend otherwise: open port -> closed?
pseudo honeypot ip blocker. you could auto drop traffic from people sniffin where/when they should not be
Presumably, OP doesn’t know the concept of a honeypot, so: https://en.wikipedia.org/wiki/Honeypot_(computing)
Basically, it’s a decoy system, which an attacker will likely target.
Would it even need to pretend it is open? If it can fake a port being open then it can tell when a close port is being pinged. So can outright block connections from those IPs without ever pretending it is open?
sure, if you want to be that black and white about it… but with this you maybe could glean more information about the attempt and have more granular logic.
What extra information could you gather? Note I assume we are talking about a fake open port here, not an active service listening on a port that can communicate with the attacker. That could be done without eBPF though - so what advantage would eBPF have here?
port knocking maybe?
Port knocking does not require open ports though? It works by trying to connect to closed ports in a specific sequence does it not?
At a guess, you might tell the difference between some benign scan and an attempt to actually take advantage of the port, perhaps to use as a trigger to automatically ban an ip address? or a way to divert malicious resources to an easy looking target so they are less available in other areas?
The difference between someone scanning for open ports and someone attacking a port they find open seems significant enough to at least track and watch for patterns… Whether that’s useful for the majority of users or not is rarely why a feature is implemented.