[HN Gopher] Portspoof: Emulate a valid service on all 65535 TCP ...
___________________________________________________________________
Portspoof: Emulate a valid service on all 65535 TCP ports
Author : nateb2022
Score : 98 points
Date : 2024-12-25 17:44 UTC (5 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| westurner wrote:
| How does this compare to a tarpit?
|
| Tarpit (networking)
| https://en.wikipedia.org/wiki/Tarpit_(networking)
|
| /? inurl:awesome tarpit
| https://www.google.com/search?q=inurl%3Aawesome+tarpit+site%...
|
| "Does "TARPIT" have any known vulnerabilities or downsides?"
| https://serverfault.com/questions/611063/does-tarpit-have-an...
|
| https://gist.github.com/flaviovs/103a0dbf62c67ff371ff75fc62f... :
|
| > _However, if implemented incorrectly, TARPIT can also lead to
| resource exhaustion in your own server, specifically with the
| conntrack module. That 's because conntrack is used by the kernel
| to keep track of network connections, and excessive use of
| conntrack entries can lead to system performance issues,_ [...]
|
| > _The script below uses packet marks to flag packets candidate
| for TARPITing. Together with the NOTRACK chain, this avoids the
| conntrack issue while keeping the TARPIT mechanism working._
|
| The tarpit module used to be in tree.
|
| _xtables-addons /_ xt_TARPIT.c:
| https://github.com/tinti/xtables-addons/blob/master/extensio...
| lstamour wrote:
| Haven't looked into this too deeply but there is a difference
| between delaying a response (requests get stuck in the tarpit)
| vs providing a useless but valid response. This approach always
| provides a response, so it uses more resources than ignoring
| the request, but less resources than keeping the connection
| open. Once the response is sent the connection can be closed,
| which isn't quite how a tarpit behaves. The Linux kernel only
| needs to track open requests in memory so if connections are
| closed, they can be removed from the kernel and thus use no
| more resources than a standard service listening on a port.
|
| There is a small risk in that the service replies to requests
| on the port, though, as replies get more complicated to mimic
| services, you run the risk of an attacked exploiting the system
| making the replies. Another way of putting it, this attempts to
| run a server that responds to incoming requests on every port,
| in a way that mimics what might run on each port. If so, it
| technically opens up an attack surface on every port because an
| attacker can feed it requests but the trade-off is that it runs
| in user mode and could be granted nil permissions or put on a
| honeypot machine that is disconnected from anything useful and
| heavily tripwired for unusual activity. And the approach of
| hardcoding a response to each port to make it appear open is
| itself a very simple activity, so the attack surface introduced
| is minimal while the utility of port scanning is greatly
| reduced. The more you fake out the scanning by behaving
| realistically to inputs, the greater the attack surface to
| exploit, though.
|
| And port scanning can trigger false postives in network
| security scans which can then lead to having to explain why the
| servers are configured this way and that some ports that should
| always be closed due to vulnerability are open but not
| processing requests, so they can be ignored, etc.
| AbraKdabra wrote:
| Nice, I'm glad the word "honeypot" is never used, once I
| inherited a "true" honeypot and when I went to check it, it had
| like 30 ports opened, my reaction was literally "what the fuck is
| this crap" said out loud.
| dylan604 wrote:
| Isn't that precisely what a honeypot is meant to do though?
| Having ports open so that script kiddies get excited they get
| access to something, but the something just isn't anything?
| Having a honeypot that is locked down doesn't really seem like
| a honeypot at that point
| treesknees wrote:
| Perhaps one of us misunderstands the term honeypot, it could be
| me, but IMO this seems perfectly usable to create a honeypot
| system on your network.
|
| A honeypot is used to attract and detect an attacker, usually
| logging their actions and patterns for analysis or blocking.
| This tool could use more logging beyond just iptables, and sure
| it's not _by itself_ a honeypot, but the idea isn't that far
| off.
|
| All that aside, the GitHub page suggests this "enhances OS
| security" which I don't buy one bit. Sure it provides some
| obfuscation against automated service scanners, but if you have
| a MySQL server listening on 3306, and an attacker connects to
| 3306, they're still talking to MySQL. Doesn't matter if all the
| other 65534 ports are serving garbage responses.
| sedatk wrote:
| I had made a similar attempt at stopping email crawler spambots
| by creating a web page that produces infinite random email
| addresses.
|
| http://web.archive.org/web/20020610054821/http://www.sourtim...
| pdimitar wrote:
| Am I missing something or is it truly infinite?
| PeterWhittaker wrote:
| Interesting concept, am curious how this withstands community
| review and analysis.
|
| Bit puzzled though, by the statement made immediately after
| stating that it is GPL2: _For commercial, legitimate
| applications, please contact the author for the appropriate
| licensing arrangements_.
|
| Since the GPL2 doesn't permit restricting what others do with
| GPLd software, I don't think this statement is doing what the
| author hopes; they might want to consult a lawyer.
|
| (IANAL, etc., but there is nothing in there to prevent me, e.g.,
| from building a business out of this, charging gazillions, and
| keeping it all for myself, provided I make the source available
| to my customers.)
| pc486 wrote:
| I believe the author is saying they're willing to relicense the
| software for commercial integrations.
| PeterWhittaker wrote:
| I believe you're right, that was my conclusion as well. I'm
| not sure that that will accomplish what they hoped.
|
| To continue my original example, I could, in theory, take
| this code, ensure that it works with arbitrary independent
| pseudo-services, create my own such services, under a
| proprietary licence, and distribute the whole as an
| aggregate, which is permitted by the GPL.
|
| The author likely seeks to provide commercial licensing for
| those interested in integrating their pseudo-services as
| libraries, which would require either that they be GPLd or
| that the original code be licensed in some other way.
|
| I hope the author achieves the success they hope for without
| the licensing and legal hell they may have set themselves up
| for. It can be a great disappointment to have one's work
| turned into someone else's success by a someone or someones
| with more legal and licence cunning than one's self.
|
| (Note: that ain't me, I've just seen that exact scenario
| playout more than a fair few times....)
| tptacek wrote:
| Yes, people can do that. It's inconvenient and risky, so
| serious customer prospects will pay to avoid it. This is
| one of the more common open source commercialization
| strategies; one of the earlier examples is Sleepycat.
| ddulaney wrote:
| Provided you make the source _for any derivative works_
| available to your customers.
|
| It's not uncommon that in situations where that's undesirable
| (e.g. a closed-source C library that statically links a GPL'd
| project) that the library owner pays a fee for a separate
| license allowing that closed-source distribution.
|
| Also, this is sometimes done when it's not strictly legally
| necessary, either for risk avoidance or as a way to support the
| project in corporate environments where "licensing fee" gets
| waved through but "donation" gets blocked.
| ijustlovemath wrote:
| I believe the this doesn't apply if you're using existing
| APIs or using GPL code as a library, otherwise many many
| corporate codebases would be forced to be open sourced.
| kiririn wrote:
| The original copyright holder can enforce what they like
| PeterWhittaker wrote:
| Not quite: once you GPL something, while you retain copyright
| and can licence it in other ways, the GPL itself forbids you
| from restricting what others can do with it if they take it
| under the GPL; the one thing they cannot do is change its
| licence, but you cannot prevent them from selling it, e.g.
| The FSF are very, very clear on this.
| tptacek wrote:
| You don't care, because whatever a GPL taker does, they're
| still bound by the viral copyleft, you're not, and you can
| sell that privilege to others.
| PeterWhittaker wrote:
| Not if the original author stills holds the copyright,
| which is likely the case: the GPL does NOT remove your
| copyright, and in fact depends upon it.
| tptacek wrote:
| I understand us to be talking about the options available
| to the original copyright holder, yes.
| dijit wrote:
| You can buy your way out of the GPL if the authors are willing
| to relicense.
|
| Stallman was actually an advocate of doing this.
|
| https://www.fsf.org/blogs/rms/selling-exceptions
| PeterWhittaker wrote:
| Agreed, cf other comments below. My impression is that that
| is what this person hopes for and that they think that
| somehow the GPL prevents others from using this code
| commercially, which it manifestly does not. (Such use would
| be subject to the GPL, of course.)
| veeter wrote:
| Wouldn't that inevitably end up with your server being more
| closely inspected (or at least more heavily trafficked) by
| hackers/bots?
|
| I doubt that most script kiddies are filtering out potential
| honeypots/things like this from their tools.
| NBJack wrote:
| Not a network security expert, but the level of traffic
| necessary to figure out whats real would probably trip other
| detection mechanisms in the process.
| ssklash wrote:
| I agree, returning legit banners on common ports is likely to
| get you looked at more rather than less, since most tools are
| not accounting for situations where every single port is open,
| indicating false positives. This is a common scenario on
| penetration tests, and while it does end up wasting time, I'd
| rather not give attackers any more reason to be looking at my
| infra. I would prefer port knocking, which is kinda of the
| polar opposite approach to this.
| dietr1ch wrote:
| I guess it'll be obvious that a server is running portspoof
| after you find that 3 random services that nobody uses anymore
| seem to be running, but now that you know the host is up, which
| ports do you tinker with?
|
| If you assume that scanning/attacking each port on each server
| takes about the same effort, you are better off finding a
| machine where the scan/attack has a higher chance of being
| successful, even if you can tell which ports are spoofed and
| not worth attacking.
|
| Maybe you can run portspoof locally on 127.0.0.35 and compare
| which responses seem different (data, timings) from what you
| get back, but the space is suddenly 5000x bigger than the
| handful of ports that normally seem to be open and ports on
| other servers may seem more likely to yield success.
| yonatan8070 wrote:
| > it binds to just ONE tcp port per a running instance !
|
| How does that work? Do you need to run 65535 instances to cover
| all ports?
| Chilinot wrote:
| Yea, that statement confused me as well.
| geraldhh wrote:
| nat-redirection
| PaulAJ wrote:
| Would this also be potentially a DoS amplifier? If you sent it
| the right spoof packets, would it return a lot of packets to the
| apparent origin?
| locusofself wrote:
| Could this not trivially be accomplished with a service listening
| on one port and 'iptables' rules?
| tredre3 wrote:
| Per the README it binds to just ONE tcp port
| per a running instance ! Configure your firewall rules:
| iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport
| 1:65535 -j REDIRECT --to-ports 4444
___________________________________________________________________
(page generated 2024-12-25 23:00 UTC)