Port 0 is a port some operating systems can and do host services on accessible over the Internet.
Also - if there's any MariaDB devs reading this - your default setting making the database listen on port 0 to disable Internet access does not, in fact, disable Internet access of the DB for quite a few thousand systems.
rvnx 24 days ago [-]
MariaDB explicitly checks if the port is non-zero before listening on a TCP socket:
if (mysqld_port) means "if mysqld_port is different from 0"
This seems to be at least in MariaDB 5.5 (year 2012)
rockskon 23 days ago [-]
And if you set MariaDB to not have Internet connectivity, it attempts to accomplish this by setting the TCP port to 0. Ostensibly because it's not supposed to be a valid TCP port, except it actually is on thousands and thousands of systems.
So I don't know if the check you're referencing is evaluated when someone sets their instance of MariaDB to "not" be internet accessible.
qzzi 23 days ago [-]
This is the place where the listening socket is initialized, and you can see that if the port is 0, it doesn't do anything. Are you observing different behavior?
Avamander 25 days ago [-]
You can even use it under Linux if you wish btw, you just can't bind to it, but you can have your firewall redirect port 0 to something else.
rockskon 24 days ago [-]
You can bind to it on some versions of Linux. I've scanned a bunch of Linux systems that host stuff on port 0.
BitPirate 24 days ago [-]
Your observation doesn't contradict the use of firewall rules to accomplish this.
rockskon 24 days ago [-]
It's not some ufw rule that normally prevents hosting a service on port 0.
arghwhat 24 days ago [-]
That's not what was said. They said that a firewall rule can redirect traffic coming in on port 0 to a running service even when a service cannot bind directly to port 0.
Binding with port 0 as argument for AF_INET binds a random available port, not port 0. This is documented behavior of Linux and likely every other OS implementing a BSD-style socket interface.
Also note that ufw is just a tiny, non-standard wrapper for the much more powerful nftables/iptables interfaces
kibwen 25 days ago [-]
It feels inevitable that computer security will continue evolving towards "active defense" typified by approaches like the above. Look at how complex and many-layered your immune system is, and consider that eventually your computer and/or network will resemble that as well.
Laforet 25 days ago [-]
IMO this is still a passive type of security through obfuscation. Active defence would be more like returning zip bombs to known intruders in order to crash the process.
It appears it can be configured to actively return attacks:
> Portspoof can be used as an 'Exploitation Framework Frontend', that turns your system into responsive and aggressive machine. In practice this usually means exploiting your attackers' tools and exploits
pogue 24 days ago [-]
I can't seem to figure out how this would work or what this mean. Most of the links to the documentation seem to be missing.
I'd actually be curious to know if this seemingly ~10 year old software still works. Also how much bandwidth it uses, CPU/RAM etc.
pixl97 24 days ago [-]
There's tons of client software that can be exploited if you send a dangerous payload to it. Think of an exploitable version of Curl that will fail if it receives a bad http header.
orev 24 days ago [-]
I would guess that it fingerprints the scanning software (e.g. metasploit), then feeds a payload back to it that has a known exploit in the scanning script.
25 days ago [-]
gerdesj 25 days ago [-]
IT is growing up gradually. It's only had a few decades to worry about security and I've seen most of them.
One day, IT will become time served but not today.
0xEF 24 days ago [-]
I'm not sure I like this analogy since the immune system regularly malfunctions and damages the host (allergies, cancer, etc) but then again, it does draw some concerning parallels,.
9dev 24 days ago [-]
The immune system is an incredible marvel of engineering, protecting you against an infinite number of attack vectors without any online database update after initial installation. It develops countermeasures on the fly, deploys layers of Defense that coordinate intelligently as a swarm, and keeps track of which molecules belong to „you“ while those molecules keep replacing themselves with those obtained from the outside. It constantly ingests signals from billions of sensors over your body which function as first-responder Defense measures as well as repair kits AND evidence capsules for the cavalry that rolls in later. And that’s just a sliver of all the ingenious ways the immune system works.
I also suffer from severe asthma and allergies, both of which are, by all accounts, not normal or wanted responses of the immune system, not to mention of the low-end of the horror spectrum when it comes to immune function that is terrifyingly harmful to the host.
It is an exceptionally complex and wonderous thing, but where we diverge is in thinking of it as a "marvel of engineering" or any other prose that implies some sort of guiding hand. It is a far from perfect system, and gets things wrong often enough that we have a global industry creating products to control it.
9dev 24 days ago [-]
> […] thinking of it as a "marvel of engineering" or any other prose that implies some sort of guiding hand.
Heh. It's hard to talk about the way things have been shaped by evolution without implying an actor, because our vocabulary is so very shaped by our subjective experience. I, personally, am reasonably certain that there is no creator in whatever sense. Yet, I'm still awestruck at the ingenuity life on our planet has shown, and the immune system is a never-ending source of wonder to me.
And while it surely isn't perfect, if we were to look at the raw numbers of incidents versus the number of adversary action against your body—that would be pretty darn near perfect.
r00f 24 days ago [-]
then vaccination is online database update through forced learning
AtlasBarfed 24 days ago [-]
AI should enable high quality and deep honeypots. It's perfect for the current llm capabilities... Just look good enough.
RF_Savage 24 days ago [-]
Sounds like an easy target for DoS.
TZubiri 24 days ago [-]
Our skin doesn't pretend to be a mouth I don't think.
cbzbc 24 days ago [-]
But within nature there are examples of this kind of mimicry - i.e butterfly wings pretending to be predators eyes.
TZubiri 24 days ago [-]
Having all ports open is not a butterfly pretending to be a predator. It's a butterfly pretending to be everything, including other prey that would attract other predators.
pixl97 24 days ago [-]
Add a little DMSO and you can fix that.
sedatk 25 days ago [-]
I had made a similar attempt at stopping email crawler spambots by creating a web page that produces infinite random email addresses.
Didn’t know about that term, but it’s funny that an 18 year old Wikipedia article is still four years newer than my web site :)
pdimitar 25 days ago [-]
Am I missing something or is it truly infinite?
sedatk 25 days ago [-]
“Next page” link goes to the same page with entirely different set of addresses. So, it’s practically infinite for a crawler.
pdimitar 24 days ago [-]
Ohhhh I see, thanks for clarifying! Brain fart.
Indeed, I'd love to use your stuff.
aidenn0 24 days ago [-]
Be aware that if you run something like this, you will get dozens of bug bounty requests by people who scanned your machine and found "known vulnerable version of X" running.
wslh 25 days ago [-]
In the mid-90s, there was a honeypot product called CyberCop Sting[1], which predated Secure Networks' Ballista[2]. CyberCop Sting could simulate TCP and UDP services across various implementations. If I recall correctly, it also allowed the configuration of TCP/IP stacks to mimic the behavior of different operating systems. These features were particularly innovative almost 30 years ago.
Fascinating. I was going to ask if there were similar projects. It seems like an obvious thing to do and I was mildly surprised that it never occurred to me and majorly surprised that this was the first time I'm hearing about the idea.
veeter 25 days ago [-]
Wouldn't that inevitably end up with your server being more closely inspected (or at least more heavily trafficked) by hackers/bots?
I doubt that most script kiddies are filtering out potential honeypots/things like this from their tools.
dietr1ch 25 days ago [-]
I guess it'll be obvious that a server is running portspoof after you find that 3 random services that nobody uses anymore seem to be running, but now that you know the host is up, which ports do you tinker with?
If you assume that scanning/attacking each port on each server takes about the same effort, you are better off finding a machine where the scan/attack has a higher chance of being successful, even if you can tell which ports are spoofed and not worth attacking.
Maybe you can run portspoof locally on 127.0.0.35 and compare which responses seem different (data, timings) from what you get back, but the space is suddenly 5000x bigger than the handful of ports that normally seem to be open and ports on other servers may seem more likely to yield success.
1oooqooq 24 days ago [-]
only answer positively the first ones. use nmap os/service id database to emulate correct response per port.
ssklash 25 days ago [-]
I agree, returning legit banners on common ports is likely to get you looked at more rather than less, since most tools are not accounting for situations where every single port is open, indicating false positives. This is a common scenario on penetration tests, and while it does end up wasting time, I'd rather not give attackers any more reason to be looking at my infra. I would prefer port knocking, which is kinda of the polar opposite approach to this.
tugu77 24 days ago [-]
Combine the two.
By default, return nonsense on all ports. But once a certain access sequence has been detected from a source IP, redirect traffic to a specific port from just that IP to your real service.
billyhoffman 24 days ago [-]
So port knocking, but with also returning junk during the knocking process?
NBJack 25 days ago [-]
Not a network security expert, but the level of traffic necessary to figure out whats real would probably trip other detection mechanisms in the process.
varenc 25 days ago [-]
If you're worried about mass internet scans, I can see the downsides. But if you're worried about a targeted attacker scanning just your organization’s IP ranges, this seems like it would hinder them quite a bit.
kevin_nisbet 24 days ago [-]
Yea, thinking about it for a minute I would expect limited threat models this tool would help with. I think for broad attacks, this would only be somewhat effective if deployed on tens of millions of hosts so it becomes impractical because the adversary is just finding and interacting with the honeypots.
If you are specifically getting targeted, there might be a slight delay by having the adversary try and exploit the honeypot ports, but if you're running a vulnerable service you still get exploited.
Also if you're a vendor, when prospective customers security teams scan you, you'll have some very annoying security questionnaires to answer.
thayne 24 days ago [-]
You also now have to worry about vulnerabilities in portspoof.
tugu77 24 days ago [-]
Put it in an otherwise airgapped dmz.
varun_ch 24 days ago [-]
I do something similar on my website: https://bini.wales returns 200 for all endpoints and logs all attempts, so it makes for a decent have a honeypot against automated attacks (mostly it just catches people mass scanning for vulnerable WordPress plugins or leftover backdoors). Similarly, https://varun.ch/login emulates a WordPress site (with a twist)
arghwhat 24 days ago [-]
You will get the WordPress scans regardless of what you return.
AbraKdabra 25 days ago [-]
Nice, I'm glad the word "honeypot" is never used, once I inherited a "true" honeypot and when I went to check it, it had like 30 ports opened, my reaction was literally "what the fuck is this crap" said out loud.
dylan604 25 days ago [-]
Isn't that precisely what a honeypot is meant to do though? Having ports open so that script kiddies get excited they get access to something, but the something just isn't anything? Having a honeypot that is locked down doesn't really seem like a honeypot at that point
AbraKdabra 24 days ago [-]
I do red team, if I see a server with 20+ ports I'll immediately assume it's a honeypot and will stop scanning it. If you are part of a blue team you WANT them to waste time, not instantly know it's a honeypot, that's what I meant for specifically this software.
pixl97 24 days ago [-]
Then you're missing out on juicy stuff...
I work with a number of overseas clients where getting extra IPv4 is nearly impossible. I'll see them setup a ip forwarding box to tons of different applications. That application may have its own reverse proxy serving even more stuff.
The real world has some scary things in it.
cafeinux 24 days ago [-]
So what you're saying is that I should open 30 ports on my critical servers so that they are ignored as honeypots by the attackers? Noted.
AbraKdabra 24 days ago [-]
I mean sure, absolutely go for it, don't forget to tell me the IP so I can add it to my ignore list.
cafeinux 24 days ago [-]
Sure, here you are!
127.0.0.1
Thank you for your thoughtfulness.
dylan604 24 days ago [-]
If you’re a red team member that needs to be told this type of information, you’re not very good at it. You just said this is something you do on your own, so why would you need to be told about it? Either you do it or you don’t.
24 days ago [-]
AbraKdabra 24 days ago [-]
youdidntgetthejoke.jpg
dylan604 24 days ago [-]
I remember the first box I ever built that went online before I had any clue about what I was doing. It had to have looked like a honeypot. Then someone knowledgeable helped me and started shutting things down. They also mentioned Debian being designed as essentially opt-in instead of opt-out to precisely avoid this issue
AbraKdabra 24 days ago [-]
Exactly, most people confuse the fact that a server being a honeypot doesn't mean "HEY SCAN ME HEY I'M A HONEYPOT SCAN ME SO I CAN GET FREE INFO", you need a balance between exposing yourself and being authentic so the person on the other side doesn't tap Ctrl-C at the sight of a lot of ports opened. I'm mean sure, you'll get a ton of info from bots, but if you're truly using a honeypot for R&D you want the true hackers to knock on your door.
remram 24 days ago [-]
I think what's neat is that this tool can reply to so many protocols/ports, you can enable whichever subset you want.
You could also easily tweak it to have the ports spread on a few different IP addresses instead of a single one. That would make them much less obvious.
londons_explore 25 days ago [-]
The usual trick is to have many pots, each of which is mostly but not entirely locked down.
treesknees 25 days ago [-]
Perhaps one of us misunderstands the term honeypot, it could be me, but IMO this seems perfectly usable to create a honeypot system on your network.
A honeypot is used to attract and detect an attacker, usually logging their actions and patterns for analysis or blocking. This tool could use more logging beyond just iptables, and sure it’s not _by itself_ a honeypot, but the idea isn’t that far off.
All that aside, the GitHub page suggests this “enhances OS security” which I don’t buy one bit. Sure it provides some obfuscation against automated service scanners, but if you have a MySQL server listening on 3306, and an attacker connects to 3306, they’re still talking to MySQL. Doesn’t matter if all the other 65534 ports are serving garbage responses.
skeledrew 25 days ago [-]
All the responses look legitimate though, so even if someone does hit that MySQL, they'll be hard pressed determining it's not part of the noise of the other 65.5k legitimate-seeming responses. They'll just be wasting resources trying to get beyond such a broad surface to gain any depth. And if they already know to target MySQL (or any other particular service), it's all moot in any case, but also they wouldn't be doing a spectrum scan.
robertlagrant 25 days ago [-]
But how do you know it's real? You might be running Postgres on 5432 and them connecting to 3306 might respond with a lookalike mysql.
jaktet 24 days ago [-]
I would imagine the amount of time someone spends “investigating” a port like 3306 is the amount of time it takes for the existing automated software to run a check to see if the mysql server is vulnerable. So unless the service on 3306 is able to spoof a vulnerable mysql server, they don’t care if it’s real or not. They just care if their tool reports a vulnerable service.
robertlagrant 24 days ago [-]
Why would they only care about that if they're trying to hack into a system?
jaktet 24 days ago [-]
Unless they are specifically targeting that system my assumption would be that they are just looking for open ports for known services, then if found checking if exploits work or not, and if not move on. I could very well be wrong but from a practical standpoint I can’t imagine this service mattering to someone that is running a program to scan for open ports with vulnerabilities.
robertlagrant 24 days ago [-]
I might just be regurgitating the article, but isn't the point that it can massively increase the time and effort it takes to scan a system for valid vulnerabilities?
jaktet 24 days ago [-]
What I’m saying though is that if I were running a script like this, unless I’m targeting a specific ip, I would just be scanning known ports for known vulnerabilities. I wouldn’t be scanning every single port.
AbraKdabra 24 days ago [-]
I do red team, if I see a server with 20+ ports I'll immediately assume it's a honeypot and will stop scanning it. If you are part of a blue team you WANT them to waste time, not instantly know it's a honeypot, that's what I meant for specifically this software.
yonatan8070 25 days ago [-]
> it binds to just ONE tcp port per a running instance !
How does that work? Do you need to run 65535 instances to cover all ports?
That's actually pretty darn neat. Thanks for the references, too.
geraldhh 25 days ago [-]
nat-redirection
Chilinot 25 days ago [-]
Yea, that statement confused me as well.
alanfranz 24 days ago [-]
why? A single process can bind to multiple ports. I don't know what's the hard limit actually, or how much memory it would use. Probably a port redirect would just be simpler.
jagged-chisel 24 days ago [-]
But this thing says it binds to ONE port. iptables is doing the port redirect for unbound ports.
PaulAJ 25 days ago [-]
Would this also be potentially a DoS amplifier? If you sent it the right spoof packets, would it return a lot of packets to the apparent origin?
ryan-c 25 days ago [-]
For TCP services, it won't send a large packet until the "client" provides a correct ACK packet to complete the three way handshake.
This would indeed be pants-on-head for UDP.
cryptonector 24 days ago [-]
Amplification attacks are mainly a concern with UDP because UDP does not have a return routability check, while TCP does.
pogue 24 days ago [-]
This sent me down a rabbit hole remembering the DDoS attacks the skids were coming up with in the 90s. The famous Pepsi & Smurf attacks that would spoof a connection from one server running CHARGEN [1] and send it to another running ECHO [2] and it would just send an endless flood of characters to the victim. It might have been one of, if not, the first distributed denial of service attacks. It's wild to think people would leave all the ports open on their servers that would just spew endless characters and etc. Those were the days when everyone was so open and trusting of other users on the internet.
CORRECTION: This was actually name "Fraggle". [3] Smurf involved ICMP flooding.
I remember seeing these on EFnet IRC in the 90s. Since the code is so ancient, I thought I'd share it. I'm sure these would be useless in modern times, but they're an interesting bit of internet history. It also hilarious to look at the comments and see old IRC handles you recognize. Who remembers napster before he developed the p2p software that made him famous?
I remember. I was hanging out in #ansi and #hav0k on EFNet at the time with nyt, soldier, v9, Napster, etc.
Fun times. I miss those days.
throwaway984393 25 days ago [-]
[dead]
halayli 24 days ago [-]
or not respond at all. On linux you can disable the rst behavior using
sysctl -w net.ipv4.tcp_reset_reject=0
jfuu 24 days ago [-]
Do I need a specific kernel module loaded for this? I just get:
sysctl: cannot stat /proc/sys/net/ipv4/tcp_reset_reject: No such file or directory
This also gives nothing:
sysctl -a | grep tcp_reset_reject
amyfp214 25 days ago [-]
the natural evolution of such an approach is to also seemingly advertise a variety of security holes.. and maintain a blacklist silently that feeds actual production systems as a firewall, should said hacker reach that point
> However, if implemented incorrectly, TARPIT can also lead to resource exhaustion in your own server, specifically with the conntrack module. That's because conntrack is used by the kernel to keep track of network connections, and excessive use of conntrack entries can lead to system performance issues, [...]
> The script below uses packet marks to flag packets candidate for TARPITing. Together with the NOTRACK chain, this avoids the conntrack issue while keeping the TARPIT mechanism working.
Haven't looked into this too deeply but there is a difference between delaying a response (requests get stuck in the tarpit) vs providing a useless but valid response. This approach always provides a response, so it uses more resources than ignoring the request, but less resources than keeping the connection open. Once the response is sent the connection can be closed, which isn't quite how a tarpit behaves. The Linux kernel only needs to track open requests in memory so if connections are closed, they can be removed from the kernel and thus use no more resources than a standard service listening on a port.
There is a small risk in that the service replies to requests on the port, though, as replies get more complicated to mimic services, you run the risk of an attacked exploiting the system making the replies. Another way of putting it, this attempts to run a server that responds to incoming requests on every port, in a way that mimics what might run on each port. If so, it technically opens up an attack surface on every port because an attacker can feed it requests but the trade-off is that it runs in user mode and could be granted nil permissions or put on a honeypot machine that is disconnected from anything useful and heavily tripwired for unusual activity. And the approach of hardcoding a response to each port to make it appear open is itself a very simple activity, so the attack surface introduced is minimal while the utility of port scanning is greatly reduced. The more you fake out the scanning by behaving realistically to inputs, the greater the attack surface to exploit, though.
And port scanning can trigger false postives in network security scans which can then lead to having to explain why the servers are configured this way and that some ports that should always be closed due to vulnerability are open but not processing requests, so they can be ignored, etc.
westurner 24 days ago [-]
The original Labrea Tarpit avoids DOS'ing it's own conntrack table somehow, too;
> bypass4netns uses sockets allocated on the host. It switches sockets in containers to the host's sockets by intercepting syscalls and injecting the file descriptors using Seccomp. Our method with Seccomp can handle statically linked applications that previous works could not handle. Also, we propose high-performance rootless multi-node communication. We confirmed that rootless containers with bypass4netns achieve more than 30x faster throughput than rootless containers without it
RunCVM, Kata containers, GVisor all have a better host/guest boundary than rootful or rootless containers; which is probably better for honeypot research on a different subnet.
IIRC there are various utilities for monitoring and diffing VMs, for honeypot research.
There could be a list of expected syscalls. If the simulated workload can be exhaustively enumerated, the expected syscalls are known ahead of time and so anomaly detection should be easier.
"Oh, like Ghostbusters."
immibis 24 days ago [-]
I tried something like that. It didn't work because the application added the socket to an epoll set before binding it, so before it could be replaced with a host socket. Replacing the file descriptor in the FD table doesn't replace it in epoll sets.
ajsnigrutin 24 days ago [-]
> it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).
So, every automated portscan from a hacked machne will waste 200MB of my bandwidth?
sigio 23 days ago [-]
Yes, but it will also waste 200MB of the attacker's bandwidth, which is a more limited resource.
snvzz 25 days ago [-]
Cute as this is, most attackers aren't obsessed with you, but are looking at just one port, the one they have an exploit for.
And if you have that port open with a vulnerable service, they'll find and exploit it, irrespective of whether this tool is running.
TacticalCoder 25 days ago [-]
If it was the case that the way all attackers worked was to have one ready exploit and only scan the port on which that exploit could work, then why are there good guys even seeing port scanning at all?
debarshri 24 days ago [-]
What would be great is if there is a network call detected on port where there is no actual service listen, if the tool could create alerts and send it to SIEM it will create lot of value.
0xedd 24 days ago [-]
[dead]
TZubiri 24 days ago [-]
Or just don't
ENOTTY 25 days ago [-]
To speed up a comprehensive port probe with service discovery, one could use a few different systems on different IPs and divide the work.
pmarreck 24 days ago [-]
Well, that is certainly one way to attack the problem!
justmarc 24 days ago [-]
Bringing back fond memories of the happy 90s
stormbeard 25 days ago [-]
How is this better than configuring an iptables redirection?
zamadatix 25 days ago [-]
iptables only provides one of the two approaches detailed, namely the "ack" portion. For the "fake a random real service on each port" portion you'd need something additional like this.
PeterWhittaker 25 days ago [-]
Interesting concept, am curious how this withstands community review and analysis.
Bit puzzled though, by the statement made immediately after stating that it is GPL2: For commercial, legitimate applications, please contact the author for the appropriate licensing arrangements.
Since the GPL2 doesn't permit restricting what others do with GPLd software, I don't think this statement is doing what the author hopes; they might want to consult a lawyer.
(IANAL, etc., but there is nothing in there to prevent me, e.g., from building a business out of this, charging gazillions, and keeping it all for myself, provided I make the source available to my customers.)
ddulaney 25 days ago [-]
Provided you make the source for any derivative works available to your customers.
It’s not uncommon that in situations where that’s undesirable (e.g. a closed-source C library that statically links a GPL’d project) that the library owner pays a fee for a separate license allowing that closed-source distribution.
Also, this is sometimes done when it’s not strictly legally necessary, either for risk avoidance or as a way to support the project in corporate environments where “licensing fee” gets waved through but “donation” gets blocked.
ijustlovemath 25 days ago [-]
I believe the this doesn't apply if you're using existing APIs or using GPL code as a library, otherwise many many corporate codebases would be forced to be open sourced.
mlyle 25 days ago [-]
GPL absolutely applies when using a library (unless a separate exception has been made). Of course, the LGPL is often used for libraries when this isn't desired by the author.
thayne 25 days ago [-]
> or using GPL code as a library
No. The copyleft nature still applies to libraries. That's why the LGPL exists. And the exception in the license for gcc for programs compiled by gcc.
jesprenj 25 days ago [-]
Only if you distribute the binary/source of the GPLd library. You may build a non-GPL program that dynamically links with a GPL library and freely distribute it. As long as your program does not contain copyrightable code, you do not have to comply with the licence requirements, because you do not need a licence at all to do that. Same applies for static linking if you only distribute the source and require your users compile the program themselves.
This is not limited to GPL, but applies to proprietary libraries as well. It's OK to require a proprietary library at runtime and you don't need a licence to do that. As long as you do not distribute some intellectual property, copyright law and its limitations are not applicable at all.
This sounds quite assertive, so compulsory "IANAL, this is just my interpretation".
spauldo 24 days ago [-]
This all sounds awful close to the whole CLISP/ReadLine debacle. Basically, CLISP (a Lisp implementation) originally linked to ReadLine, a GNU library under the GPL. Richard Stallman argued that the author of CLISP had to remove ReadLine or license CLISP under the GPL.
The author originally created his own non-GPL library with the same interface as ReadLine and distributed that, noting that the user could (at their own option) link CLISP with GNU ReadLine instead if they wanted that functionality. Stallman argued that wasn't sufficient.
In the end, CLISP ended up being relicensed to GPL. Note though that no judge ever looked at it, so things might have turned out differently if it had gone to court.
immibis 25 days ago [-]
Note that if your program is very intertwined with the library, it might still be considered a derivative work.
The Linux kernel has opinions about this: symbols marked with EXPORT_SYMBOL are considered symbols that every operating system would have, so using them doesn't mean you are writing a derivative work. Symbols market with EXPORT_SYMBOL_GPL are considered implementation details so specific to Linux that if you use them, you can't say that your module isn't derivative of Linux.
Henchman21 25 days ago [-]
I love these progressively more descriptive details about the GPL/LGPL. It's like a manifestation of the Futurama "You are technically correct; the best kind of correct" meme
dijit 25 days ago [-]
You can buy your way out of the GPL if the authors are willing to relicense.
Agreed, cf other comments below. My impression is that that is what this person hopes for and that they think that somehow the GPL prevents others from using this code commercially, which it manifestly does not. (Such use would be subject to the GPL, of course.)
pc486 25 days ago [-]
I believe the author is saying they're willing to relicense the software for commercial integrations.
PeterWhittaker 25 days ago [-]
I believe you're right, that was my conclusion as well. I'm not sure that that will accomplish what they hoped.
To continue my original example, I could, in theory, take this code, ensure that it works with arbitrary independent pseudo-services, create my own such services, under a proprietary licence, and distribute the whole as an aggregate, which is permitted by the GPL.
The author likely seeks to provide commercial licensing for those interested in integrating their pseudo-services as libraries, which would require either that they be GPLd or that the original code be licensed in some other way.
I hope the author achieves the success they hope for without the licensing and legal hell they may have set themselves up for. It can be a great disappointment to have one's work turned into someone else's success by a someone or someones with more legal and licence cunning than one's self.
(Note: that ain't me, I've just seen that exact scenario playout more than a fair few times....)
tptacek 25 days ago [-]
Yes, people can do that. It's inconvenient and risky, so serious customer prospects will pay to avoid it. This is one of the more common open source commercialization strategies; one of the earlier examples is Sleepycat.
kiririn 25 days ago [-]
The original copyright holder can enforce what they like
PeterWhittaker 25 days ago [-]
Not quite: once you GPL something, while you retain copyright and can licence it in other ways, the GPL itself forbids you from restricting what others can do with it if they take it under the GPL; the one thing they cannot do is change its licence, but you cannot prevent them from selling it, e.g. The FSF are very, very clear on this.
tptacek 25 days ago [-]
You don't care, because whatever a GPL taker does, they're still bound by the viral copyleft, you're not, and you can sell that privilege to others.
PeterWhittaker 25 days ago [-]
Not if the original author stills holds the copyright, which is likely the case: the GPL does NOT remove your copyright, and in fact depends upon it.
tptacek 25 days ago [-]
I understand us to be talking about the options available to the original copyright holder, yes.
25 days ago [-]
throwaway984393 25 days ago [-]
[dead]
locusofself 25 days ago [-]
Could this not trivially be accomplished with a service listening on one port and 'iptables' rules?
tredre3 25 days ago [-]
Per the README
it binds to just ONE tcp port per a running instance !
Configure your firewall rules:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444
phoronixrly 25 days ago [-]
> By using those two techniques together:
> your attackers will have a tough time while trying to identify your real services.
So... Security through obscurity?
> the only way to determine if a service is emulated is through a protocol probe (imagine probing protocols for 65k open ports!).
So... Security through obscurity?
> it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).
So... Security through obscurity?
Idk... Maybe I am not versed enough in infosec but this also begs the question are you not attracting more interest if your system lights up green for an exposed Redis instance for an adversary to notice you and take a closer look for anything else vulnerable.
commandar 25 days ago [-]
>So... Security through obscurity?
This is not a valid criticism on its own.
Security through obscurity is bad when obscurity is the only thing stopping an attacker. It's a meme because obscurity is not a substitute for stronger security mechanisms. That does not mean it cannot be an appropriate compliment to them, however.
If I wanted to hide a gold bar, sticking it in an open hole behind a painting on the wall wouldn't be particularly great security. As soon as a robber found the hole, the entirety of my security is compromised.
If I put it in a safe on the wall, it's much more secure. The robber has to drill through the lock to get the gold bar.
If I put it in a safe behind a painting on the wall, the robber has to discover that there's a safe there before they're able to attempt drilling through it. Bypassing the painting is trivial compared to bypassing the safe, but the painting reduces the chance of the actual safe being attacked (up until it doesn't!)
Security should be layered. Obscurity will generally be the weakest of those layers, but that doesn't mean that it has no value. As long as you're not using obscurity as a replacement for stronger mechanisms, there's nothing wrong with leveraging it as part of a larger overall security posture.
dcsommer 25 days ago [-]
Accepted cryptography is also security through obscurity. The thing is that the amount of obscurity must be quantified. Cryptanalysis allows one to calculate these quantities of "obscurity." Then, a full study of effectiveness combines that with the costs associated with brute-forcing the bounds arrived at by the cryptanalysis.
Other parts of infosec are the same, but often with less well-quantified measures of effectiveness. E.g. memory hardening techniques like FORTIFY_SOURCE and MTE are effective in raising the difficulty of exploiting memory vulnerabilities, but under some conditions the vulnerabilities may still be exploitable.
Before using labels like "security through obscurity" one has to first answer: how much does the technique raise the cost for attackers? This is what articles about security systems (including this one) should focus on. In the end, hacking, like most things, comes down to economics.
phoronixrly 25 days ago [-]
How much do you think this tool raises the cost for attackers?
altairprime 25 days ago [-]
Most modern attacks succeed by remaining undetected and this directly counters that. When combined with “every IP address responds to ARP and ICMP” (as discussed recently), you can make it impossible for an attacker to scan your network without firing off a honeypot alarm that introduces increasing packet loss on the attacker’s host as scans continue, providing enough time for an oncall human to finish what they’re doing and get to a keyboard to deal with the intrusion.
The next level of value for this is to TLS-encrypt random traffic between ports and hosts on the network, generated and injected by the switch into each network port, so that sniffing traffic is not an effective discovery mechanism. After that, address and port randomization of servers using a time-linked randomization seed stored in an HSM, so that attackers have no way to pierce the onion skin if they lose control of the HSM-bearing host.
This is all the natural outgrowth of container approaches, but in labor terms is nightmarishly complicated if you aren’t willing to spend for it.
idunnoman1222 24 days ago [-]
No, instead of dropping all the packets into a black hole, you could put the packets into a hey we just got a scan request pile and if the pile is bigger than some heuristic call the on-call guy it’s completely unnecessary to respond to him to have this functionality
anyfoo 25 days ago [-]
The “cost” includes all resources, including time. Some classes of attackers will be significantly slowed down by this.
mannyv 25 days ago [-]
People who criticize 'security through obscurity' don't know how hard it is to reverse engineer shit.
Either that or they're researchers or adversaries playing a game. Because trying to figure out WTF is going on is hard, so any clues you can extract from your targets makes things easier.
voidfunc 24 days ago [-]
Agree, a lot of people misunderstand the purpose of security through obscurity.. it's a layer on top of other layers of security designed to waste attacker time. If your attacker is a nation state that's probably not going to stop it, but it might stop a lot of other lesser threats who realize it's not worth the effort.
tw04 25 days ago [-]
When you see someone probing every single port on the box, you know they’re either a bad actor, or a security tool. No legit user is going to keep hammering ports without a known service.
Bad actors you can either block or counter attack. Security tools should be registering their address with whatever internal tracker you’re using so they can be white listed.
phoronixrly 25 days ago [-]
> When you see someone probing every single port on the box, you know they’re either a bad actor
That is not what the tool is for though... It is a tool specifically made to hinder... IDK... Making any information out of an NMAP scan?
ryan-c 25 days ago [-]
The objective here is to give script kiddies and other spray-and-pray attackers the finger.
phoronixrly 25 days ago [-]
How does it do that though?
You light up in a skid's Internet-wide scan for let's say Redis. They try and fail to dump anything from it so they proceed and run a vulnerability scanner on your host (skids gonna skid)... It proceeds to discover IDK... a trivial SQLi you coded like a dumbass...
anyfoo 25 days ago [-]
It’s literally an arms race. You make it more expensive for attackers to progress. Yes, security through obscurity is bad on its own, but it’s not necessarily useless as an additional measure.
For a similar concept, look at the delay you get after entering a password wrong to a login prompt: That technically does not add any barrier whatsoever, but it does make it much harder for an attacker to brute force the password.
rvba 25 days ago [-]
They try to run some other attack on you. For something you dont have.
If more servers use the tool, they waste attacker's time. A bit like herd immunity
wakawaka28 25 days ago [-]
Security through obscurity is somewhat helpful even though it can be defeated. Take camouflage and honeypots for example. It would probably be unwise to use this without a thorough audit of the code however.
anyfoo 25 days ago [-]
Look up post-exploit mitigations, such as ASLR and pointer authentication. These are mechanisms that only become relevant when software has already been breached. In most cases, they cannot entirely prevent further progress by the attacker, just make it significantly harder.
Port 0 is a port some operating systems can and do host services on accessible over the Internet.
Also - if there's any MariaDB devs reading this - your default setting making the database listen on port 0 to disable Internet access does not, in fact, disable Internet access of the DB for quite a few thousand systems.
https://github.com/MariaDB/server/blob/ae998c22b2ce4f1023a6c...
> if (mysqld_port)
> activate_tcp_port(mysqld_port, &listen_sockets, false);
if (mysqld_port) means "if mysqld_port is different from 0"
This seems to be at least in MariaDB 5.5 (year 2012)
So I don't know if the check you're referencing is evaluated when someone sets their instance of MariaDB to "not" be internet accessible.
Binding with port 0 as argument for AF_INET binds a random available port, not port 0. This is documented behavior of Linux and likely every other OS implementing a BSD-style socket interface.
Also note that ufw is just a tiny, non-standard wrapper for the much more powerful nftables/iptables interfaces
> Portspoof can be used as an 'Exploitation Framework Frontend', that turns your system into responsive and aggressive machine. In practice this usually means exploiting your attackers' tools and exploits
I'd actually be curious to know if this seemingly ~10 year old software still works. Also how much bandwidth it uses, CPU/RAM etc.
One day, IT will become time served but not today.
I wholeheartedly recommend reading „Immune“ by Phillip Dettmer: https://www.amazon.de/dp/0593241312
I also suffer from severe asthma and allergies, both of which are, by all accounts, not normal or wanted responses of the immune system, not to mention of the low-end of the horror spectrum when it comes to immune function that is terrifyingly harmful to the host.
It is an exceptionally complex and wonderous thing, but where we diverge is in thinking of it as a "marvel of engineering" or any other prose that implies some sort of guiding hand. It is a far from perfect system, and gets things wrong often enough that we have a global industry creating products to control it.
Heh. It's hard to talk about the way things have been shaped by evolution without implying an actor, because our vocabulary is so very shaped by our subjective experience. I, personally, am reasonably certain that there is no creator in whatever sense. Yet, I'm still awestruck at the ingenuity life on our planet has shown, and the immune system is a never-ending source of wonder to me.
And while it surely isn't perfect, if we were to look at the raw numbers of incidents versus the number of adversary action against your body—that would be pretty darn near perfect.
http://web.archive.org/web/20020610054821/http://www.sourtim...
Indeed, I'd love to use your stuff.
[1] https://theswissbay.ch/pdf/Gentoomen%20Library/Security/0321...
[2] https://news.ycombinator.com/item?id=26440139
I doubt that most script kiddies are filtering out potential honeypots/things like this from their tools.
If you assume that scanning/attacking each port on each server takes about the same effort, you are better off finding a machine where the scan/attack has a higher chance of being successful, even if you can tell which ports are spoofed and not worth attacking.
Maybe you can run portspoof locally on 127.0.0.35 and compare which responses seem different (data, timings) from what you get back, but the space is suddenly 5000x bigger than the handful of ports that normally seem to be open and ports on other servers may seem more likely to yield success.
By default, return nonsense on all ports. But once a certain access sequence has been detected from a source IP, redirect traffic to a specific port from just that IP to your real service.
If you are specifically getting targeted, there might be a slight delay by having the adversary try and exploit the honeypot ports, but if you're running a vulnerable service you still get exploited.
Also if you're a vendor, when prospective customers security teams scan you, you'll have some very annoying security questionnaires to answer.
I work with a number of overseas clients where getting extra IPv4 is nearly impossible. I'll see them setup a ip forwarding box to tons of different applications. That application may have its own reverse proxy serving even more stuff.
The real world has some scary things in it.
You could also easily tweak it to have the ports spread on a few different IP addresses instead of a single one. That would make them much less obvious.
A honeypot is used to attract and detect an attacker, usually logging their actions and patterns for analysis or blocking. This tool could use more logging beyond just iptables, and sure it’s not _by itself_ a honeypot, but the idea isn’t that far off.
All that aside, the GitHub page suggests this “enhances OS security” which I don’t buy one bit. Sure it provides some obfuscation against automated service scanners, but if you have a MySQL server listening on 3306, and an attacker connects to 3306, they’re still talking to MySQL. Doesn’t matter if all the other 65534 ports are serving garbage responses.
How does that work? Do you need to run 65535 instances to cover all ports?
Then it calls getsockopt to find out what the original port was: https://github.com/drk1wi/portspoof/blob/c3f3c34531c59df229e...
This would indeed be pants-on-head for UDP.
CORRECTION: This was actually name "Fraggle". [3] Smurf involved ICMP flooding.
I remember seeing these on EFnet IRC in the 90s. Since the code is so ancient, I thought I'd share it. I'm sure these would be useless in modern times, but they're an interesting bit of internet history. It also hilarious to look at the comments and see old IRC handles you recognize. Who remembers napster before he developed the p2p software that made him famous?
Pepsi.c https://cdn.preterhuman.net/texts/underground/hacking/exploi...
This site has loads of old historic exploits preserved one folder up.
Smurf.c https://gist.github.com/JasonPellerin/2eecbf1f7e49750d2249
[1] https://en.wikipedia.org/wiki/Character_Generator_Protocol?w...
[2] https://en.wikipedia.org/wiki/Echo_Protocol?wprov=sfla1
[3] https://en.wikipedia.org/wiki/Smurf_attack?wprov=sfla1
Fun times. I miss those days.
Tarpit (networking) https://en.wikipedia.org/wiki/Tarpit_(networking)
/? inurl:awesome tarpit https://www.google.com/search?q=inurl%3Aawesome+tarpit+site%...
"Does "TARPIT" have any known vulnerabilities or downsides?" https://serverfault.com/questions/611063/does-tarpit-have-an...
https://gist.github.com/flaviovs/103a0dbf62c67ff371ff75fc62f... :
> However, if implemented incorrectly, TARPIT can also lead to resource exhaustion in your own server, specifically with the conntrack module. That's because conntrack is used by the kernel to keep track of network connections, and excessive use of conntrack entries can lead to system performance issues, [...]
> The script below uses packet marks to flag packets candidate for TARPITing. Together with the NOTRACK chain, this avoids the conntrack issue while keeping the TARPIT mechanism working.
The tarpit module used to be in tree.
xtables-addons/ xt_TARPIT.c: https://github.com/tinti/xtables-addons/blob/master/extensio...
There is a small risk in that the service replies to requests on the port, though, as replies get more complicated to mimic services, you run the risk of an attacked exploiting the system making the replies. Another way of putting it, this attempts to run a server that responds to incoming requests on every port, in a way that mimics what might run on each port. If so, it technically opens up an attack surface on every port because an attacker can feed it requests but the trade-off is that it runs in user mode and could be granted nil permissions or put on a honeypot machine that is disconnected from anything useful and heavily tripwired for unusual activity. And the approach of hardcoding a response to each port to make it appear open is itself a very simple activity, so the attack surface introduced is minimal while the utility of port scanning is greatly reduced. The more you fake out the scanning by behaving realistically to inputs, the greater the attack surface to exploit, though.
And port scanning can trigger false postives in network security scans which can then lead to having to explain why the servers are configured this way and that some ports that should always be closed due to vulnerability are open but not processing requests, so they can be ignored, etc.
LaBrea.py: https://github.com/dhoelzer/ShowMeThePackets/blob/master/Sca...
La Brea Tar Pits and museum: https://en.wikipedia.org/wiki/La_Brea_Tar_Pits
The NERDctl readme says: https://github.com/containerd/nerdctl :
> Supports rootless mode, without slirp overhead (bypass4netns)
How does that work, though? (And unfortunately podman replaced slirp4netns with pasta from psst.)
rootless-containers/bypass4netns: https://github.com/rootless-containers/bypass4netns/ :
> [Experimental] Accelerates slirp4netns using SECCOMP_IOCTL_NOTIF_ADDFD. As fast as `--net=host`
Which is good, because --net=host with rootless containers is security inadvisable FWIU.
"bypass4netns: Accelerating TCP/IP Communications in Rootless Containers" (2023) https://arxiv.org/abs/2402.00365 :
> bypass4netns uses sockets allocated on the host. It switches sockets in containers to the host's sockets by intercepting syscalls and injecting the file descriptors using Seccomp. Our method with Seccomp can handle statically linked applications that previous works could not handle. Also, we propose high-performance rootless multi-node communication. We confirmed that rootless containers with bypass4netns achieve more than 30x faster throughput than rootless containers without it
RunCVM, Kata containers, GVisor all have a better host/guest boundary than rootful or rootless containers; which is probably better for honeypot research on a different subnet.
IIRC there are various utilities for monitoring and diffing VMs, for honeypot research.
There could be a list of expected syscalls. If the simulated workload can be exhaustively enumerated, the expected syscalls are known ahead of time and so anomaly detection should be easier.
"Oh, like Ghostbusters."
So, every automated portscan from a hacked machne will waste 200MB of my bandwidth?
And if you have that port open with a vulnerable service, they'll find and exploit it, irrespective of whether this tool is running.
Bit puzzled though, by the statement made immediately after stating that it is GPL2: For commercial, legitimate applications, please contact the author for the appropriate licensing arrangements.
Since the GPL2 doesn't permit restricting what others do with GPLd software, I don't think this statement is doing what the author hopes; they might want to consult a lawyer.
(IANAL, etc., but there is nothing in there to prevent me, e.g., from building a business out of this, charging gazillions, and keeping it all for myself, provided I make the source available to my customers.)
It’s not uncommon that in situations where that’s undesirable (e.g. a closed-source C library that statically links a GPL’d project) that the library owner pays a fee for a separate license allowing that closed-source distribution.
Also, this is sometimes done when it’s not strictly legally necessary, either for risk avoidance or as a way to support the project in corporate environments where “licensing fee” gets waved through but “donation” gets blocked.
No. The copyleft nature still applies to libraries. That's why the LGPL exists. And the exception in the license for gcc for programs compiled by gcc.
This is not limited to GPL, but applies to proprietary libraries as well. It's OK to require a proprietary library at runtime and you don't need a licence to do that. As long as you do not distribute some intellectual property, copyright law and its limitations are not applicable at all.
This sounds quite assertive, so compulsory "IANAL, this is just my interpretation".
The author originally created his own non-GPL library with the same interface as ReadLine and distributed that, noting that the user could (at their own option) link CLISP with GNU ReadLine instead if they wanted that functionality. Stallman argued that wasn't sufficient.
In the end, CLISP ended up being relicensed to GPL. Note though that no judge ever looked at it, so things might have turned out differently if it had gone to court.
The Linux kernel has opinions about this: symbols marked with EXPORT_SYMBOL are considered symbols that every operating system would have, so using them doesn't mean you are writing a derivative work. Symbols market with EXPORT_SYMBOL_GPL are considered implementation details so specific to Linux that if you use them, you can't say that your module isn't derivative of Linux.
Stallman was actually an advocate of doing this.
https://www.fsf.org/blogs/rms/selling-exceptions
To continue my original example, I could, in theory, take this code, ensure that it works with arbitrary independent pseudo-services, create my own such services, under a proprietary licence, and distribute the whole as an aggregate, which is permitted by the GPL.
The author likely seeks to provide commercial licensing for those interested in integrating their pseudo-services as libraries, which would require either that they be GPLd or that the original code be licensed in some other way.
I hope the author achieves the success they hope for without the licensing and legal hell they may have set themselves up for. It can be a great disappointment to have one's work turned into someone else's success by a someone or someones with more legal and licence cunning than one's self.
(Note: that ain't me, I've just seen that exact scenario playout more than a fair few times....)
> your attackers will have a tough time while trying to identify your real services.
So... Security through obscurity?
> the only way to determine if a service is emulated is through a protocol probe (imagine probing protocols for 65k open ports!).
So... Security through obscurity?
> it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).
So... Security through obscurity?
Idk... Maybe I am not versed enough in infosec but this also begs the question are you not attracting more interest if your system lights up green for an exposed Redis instance for an adversary to notice you and take a closer look for anything else vulnerable.
This is not a valid criticism on its own.
Security through obscurity is bad when obscurity is the only thing stopping an attacker. It's a meme because obscurity is not a substitute for stronger security mechanisms. That does not mean it cannot be an appropriate compliment to them, however.
If I wanted to hide a gold bar, sticking it in an open hole behind a painting on the wall wouldn't be particularly great security. As soon as a robber found the hole, the entirety of my security is compromised.
If I put it in a safe on the wall, it's much more secure. The robber has to drill through the lock to get the gold bar.
If I put it in a safe behind a painting on the wall, the robber has to discover that there's a safe there before they're able to attempt drilling through it. Bypassing the painting is trivial compared to bypassing the safe, but the painting reduces the chance of the actual safe being attacked (up until it doesn't!)
Security should be layered. Obscurity will generally be the weakest of those layers, but that doesn't mean that it has no value. As long as you're not using obscurity as a replacement for stronger mechanisms, there's nothing wrong with leveraging it as part of a larger overall security posture.
Other parts of infosec are the same, but often with less well-quantified measures of effectiveness. E.g. memory hardening techniques like FORTIFY_SOURCE and MTE are effective in raising the difficulty of exploiting memory vulnerabilities, but under some conditions the vulnerabilities may still be exploitable.
Before using labels like "security through obscurity" one has to first answer: how much does the technique raise the cost for attackers? This is what articles about security systems (including this one) should focus on. In the end, hacking, like most things, comes down to economics.
The next level of value for this is to TLS-encrypt random traffic between ports and hosts on the network, generated and injected by the switch into each network port, so that sniffing traffic is not an effective discovery mechanism. After that, address and port randomization of servers using a time-linked randomization seed stored in an HSM, so that attackers have no way to pierce the onion skin if they lose control of the HSM-bearing host.
This is all the natural outgrowth of container approaches, but in labor terms is nightmarishly complicated if you aren’t willing to spend for it.
Either that or they're researchers or adversaries playing a game. Because trying to figure out WTF is going on is hard, so any clues you can extract from your targets makes things easier.
Bad actors you can either block or counter attack. Security tools should be registering their address with whatever internal tracker you’re using so they can be white listed.
That is not what the tool is for though... It is a tool specifically made to hinder... IDK... Making any information out of an NMAP scan?
You light up in a skid's Internet-wide scan for let's say Redis. They try and fail to dump anything from it so they proceed and run a vulnerability scanner on your host (skids gonna skid)... It proceeds to discover IDK... a trivial SQLi you coded like a dumbass...
For a similar concept, look at the delay you get after entering a password wrong to a login prompt: That technically does not add any barrier whatsoever, but it does make it much harder for an attacker to brute force the password.
If more servers use the tool, they waste attacker's time. A bit like herd immunity
Similar principle (only on the other end).