this post was submitted on 24 Aug 2024
17 points (81.5% liked)

Programming

17326 readers
230 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev



founded 1 year ago
MODERATORS
 

I've read an article which describes how to simulate the close ports as open in Linux by eBPF. That is, an outside port scanner, malicious actor, will get tricked to observe that some ports, or all of them, are open, whereas in reality they'll be closed.

How could this be useful for the owner of a server? Wouldn't it be better to pretend otherwise: open port -> closed?

you are viewing a single comment's thread
view the rest of the comments
[–] originalucifer@moist.catsweat.com 2 points 2 months ago (1 children)

sure, if you want to be that black and white about it.. but with this you maybe could glean more information about the attempt and have more granular logic.

[–] nous@programming.dev 1 points 2 months ago* (last edited 2 months ago) (2 children)

What extra information could you gather? Note I assume we are talking about a fake open port here, not an active service listening on a port that can communicate with the attacker. That could be done without eBPF though - so what advantage would eBPF have here?

And I assume this is more on the level of responding to pings than creating full connections? At which point you are only dealing with a single packet from the sender. So what value does responding give you here?

[–] dnick@sh.itjust.works 1 points 2 months ago (1 children)

At a guess, you might tell the difference between some benign scan and an attempt to actually take advantage of the port, perhaps to use as a trigger to automatically ban an ip address? or a way to divert malicious resources to an easy looking target so they are less available in other areas?

The difference between someone scanning for open ports and someone attacking a port they find open seems significant enough to at least track and watch for patterns... Whether that's useful for the majority of users or not is rarely why a feature is implemented.

[–] nous@programming.dev 1 points 2 months ago (1 children)

What is a benign scan? Why do you need to scan a system if you are not trying to figure out what it is running - which is something only attackers or the server admins (looking for things that should not be exposed) would want to do. Any third party scanning for open ports I would consider an attack. Though it might just be an automated system looking for weaknesses - it is still an attack.

[–] dnick@sh.itjust.works 1 points 2 months ago (1 children)

A benign scan could just be looking for an ftp server to connect to or a repeater or relay server of some sort. There are plenty of open services people make available for free and the fact that you would consider it an attack it doesn't make it one.

At minimum you could be alerted to look for someone attempting to connect to your ftp server with a single basic anonymous authentication vs someone flooding that port with known malicious software attacks, and block the latter across your entire network and effectively ignore the former. Really it seems like you're advertising your lack of imagination in this context than a legitimate lack of possible uses for spoofing open ports.

[–] nous@programming.dev 1 points 2 months ago

Those are not port scans though. A port scan is when someone is systematically checking a large number of ports on a system to find which ones are open and possibly what is running on them. A random connection to a single port is not a port scan and not something pretending that other ports are open will help at all with. And open services are typically announced in some other way and don't require scanning all ports on the whole internet to find. Though you may get connections from people that get the address wrong, or have an old IP that has been reused or something - those are not scans though.

Really it seems like you’re advertising your lack of imagination in this context than a legitimate lack of possible uses for spoofing open ports.

I never said that. I have mentioned actual use cases for wanted this in other comments in this thread - namely slowing down attackers by making them do more work by not being able to do quick checks for open ports. My responses here though are about the postulation that you could gain extra information with an open port in eBPF vs just a closed one or simply a service running on that port. Thus I do not think that is the reason you would want this. Never said there are no reasons at all that you would want to pretend ports are open.

[–] originalucifer@moist.catsweat.com 1 points 2 months ago (1 children)
[–] nous@programming.dev 3 points 2 months ago (1 children)

Port knocking does not require open ports though? It works by trying to connect to closed ports in a specific sequence does it not?

[–] originalucifer@moist.catsweat.com 1 points 2 months ago (1 children)
[–] nous@programming.dev 3 points 2 months ago

What is a fake port?