Serving false signatures to attack scanners with Portspoof

Flytrap

Article from Issue 160/2014
Author(s):

The Internet is a tough place to live – especially for publicly accessible computers. A small tool called Portspoof makes port scanning a real challenge for attackers.

Seasoned attackers, and even some amateur cyber-vandals, find sport in trying to scan servers and hijack them at the same time (Figure 1). Firewalls and Intrusion Detection/Prevention systems can help, but if a single tool could truly stop all potential attacks, the Internet intrusion industry wouldn't even exist.

Figure 1: Number of unuathorized login attempts on the author's network in a two-month period (by country or origin).

A professional intrusion attempt is typically preceded by reconnaissance and scanning. Many attackers simply perform a scan, which is easily automated with tools like Nmap. An attacker who discovers a firewall and similar defensive system can often guess which ports and services are worth attacking. However, a tool called Portspoof [1] intervenes to cause complications and confusion for the attacker. Portspoof answers port requests with a wild mix of signatures and payloads. This confusing and unwanted information slows down any attempted port scan, forcing the attacker to manually evaluate the results in a time-consuming process.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Netfilter's Recent Module

    Netfilter’s Recent module builds a temporary blacklist to keep intruders off your network.

  • Books

    Reviews of O'Reilly's Beautiful Code: Leading Programmers Explain How They Think, Prentice Hall's The Official Damn Small Linux Book, and Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort from No Starch Press.

  • Customizing PortSentry

    PortSentry monitors your ports and lets you know when they’ve been scanned.

  • Nmap Methods

    How does the popular Nmap scanner identify holes in network security? In this article, we examine some Nmap analysis techniques.

  • Building a Rasp Pi IDS

    An intrusion detection system was once considered too complicated and too expensive for a home network, but nowadays you can use a Raspberry Pi and the Suricata IDS for real-time notice of an incoming attack.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News