*65536 ports<p>Port 0 is a port some operating systems can and do host services on accessible over the Internet.<p>Also - if there's any MariaDB devs reading this - your default setting making the database listen on port 0 to disable Internet access does not, in fact, disable Internet access of the DB for quite a few thousand systems.
It feels inevitable that computer security will continue evolving towards "active defense" typified by approaches like the above. Look at how complex and many-layered your immune system is, and consider that eventually your computer and/or network will resemble that as well.
I had made a similar attempt at stopping email crawler spambots by creating a web page that produces infinite random email addresses.<p><a href="http://web.archive.org/web/20020610054821/http://www.sourtimes.org/fuckemail/" rel="nofollow">http://web.archive.org/web/20020610054821/http://www.sourtim...</a>
Be aware that if you run something like this, you will get dozens of bug bounty requests by people who scanned your machine and found "known vulnerable version of X" running.
In the mid-90s, there was a honeypot product called CyberCop Sting[1], which predated Secure Networks' Ballista[2]. CyberCop Sting could simulate TCP and UDP services across various implementations. If I recall correctly, it also allowed the configuration of TCP/IP stacks to mimic the behavior of different operating systems. These features were particularly innovative almost 30 years ago.<p>[1] <a href="https://theswissbay.ch/pdf/Gentoomen%20Library/Security/0321108957.Addison-Wesley%20Professional.Honeypots-%20Tracking%20Hackers.pdf" rel="nofollow">https://theswissbay.ch/pdf/Gentoomen%20Library/Security/0321...</a><p>[2] <a href="https://news.ycombinator.com/item?id=26440139">https://news.ycombinator.com/item?id=26440139</a>
Wouldn't that inevitably end up with your server being more closely inspected (or at least more heavily trafficked) by hackers/bots?<p>I doubt that most script kiddies are filtering out potential honeypots/things like this from their tools.
I do something similar on my website: <a href="https://bini.wales" rel="nofollow">https://bini.wales</a> returns 200 for all endpoints and logs all attempts, so it makes for a decent have a honeypot against automated attacks (mostly it just catches people mass scanning for vulnerable WordPress plugins or leftover backdoors). Similarly, <a href="https://varun.ch/login" rel="nofollow">https://varun.ch/login</a> emulates a WordPress site (with a twist)
Nice, I'm glad the word "honeypot" is never used, once I inherited a "true" honeypot and when I went to check it, it had like 30 ports opened, my reaction was literally "what the fuck is this crap" said out loud.
the natural evolution of such an approach is to also seemingly advertise a variety of security holes.. and maintain a blacklist silently that feeds actual production systems as a firewall, should said hacker reach that point
How does this compare to a tarpit?<p>Tarpit (networking)
<a href="https://en.wikipedia.org/wiki/Tarpit_(networking)" rel="nofollow">https://en.wikipedia.org/wiki/Tarpit_(networking)</a><p>/? inurl:awesome tarpit
<a href="https://www.google.com/search?q=inurl%3Aawesome+tarpit+site%3Agithub.com" rel="nofollow">https://www.google.com/search?q=inurl%3Aawesome+tarpit+site%...</a><p>"Does "TARPIT" have any known vulnerabilities or downsides?"
<a href="https://serverfault.com/questions/611063/does-tarpit-have-any-known-vulnerabilities-or-downsides" rel="nofollow">https://serverfault.com/questions/611063/does-tarpit-have-an...</a><p><a href="https://gist.github.com/flaviovs/103a0dbf62c67ff371ff75fc62fdded3" rel="nofollow">https://gist.github.com/flaviovs/103a0dbf62c67ff371ff75fc62f...</a> :<p>> <i>However, if implemented incorrectly, TARPIT can also lead to resource exhaustion in your own server, specifically with the conntrack module. That's because conntrack is used by the kernel to keep track of network connections, and excessive use of conntrack entries can lead to system performance issues,</i> [...]<p>> <i>The script below uses packet marks to flag packets candidate for TARPITing. Together with the NOTRACK chain, this avoids the conntrack issue while keeping the TARPIT mechanism working.</i><p>The tarpit module used to be in tree.<p><i>xtables-addons/</i> xt_TARPIT.c:
<a href="https://github.com/tinti/xtables-addons/blob/master/extensions/xt_TARPIT.c">https://github.com/tinti/xtables-addons/blob/master/extensio...</a>
Cute as this is, most attackers aren't obsessed with you, but are looking at just one port, the one they have an exploit for.<p>And if you have that port open with a vulnerable service, they'll find and exploit it, irrespective of whether this tool is running.
> it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).<p>So, every automated portscan from a hacked machne will waste 200MB of my bandwidth?
What would be great is if there is a network call detected on port where there is no actual service listen, if the tool could create alerts and send it to SIEM it will create lot of value.
Interesting concept, am curious how this withstands community review and analysis.<p>Bit puzzled though, by the statement made immediately after stating that it is GPL2: <i>For commercial, legitimate applications, please contact the author for the appropriate licensing arrangements</i>.<p>Since the GPL2 doesn't permit restricting what others do with GPLd software, I don't think this statement is doing what the author hopes; they might want to consult a lawyer.<p>(IANAL, etc., but there is nothing in there to prevent me, e.g., from building a business out of this, charging gazillions, and keeping it all for myself, provided I make the source available to my customers.)
> By using those two techniques together:<p>> your attackers will have a tough time while trying to identify your real services.<p>So... Security through obscurity?<p>> the only way to determine if a service is emulated is through a protocol probe (imagine probing protocols for 65k open ports!).<p>So... Security through obscurity?<p>> it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).<p>So... Security through obscurity?<p>Idk... Maybe I am not versed enough in infosec but this also begs the question are you not attracting more interest if your system lights up green for an exposed Redis instance for an adversary to notice you and take a closer look for anything else vulnerable.