25 comments

  • rockskon2 天前
    *65536 ports

    Port 0 is a port some operating systems can and do host services on accessible over the Internet.

    Also - if there's any MariaDB devs reading this - your default setting making the database listen on port 0 to disable Internet access does not, in fact, disable Internet access of the DB for quite a few thousand systems.

    • rvnx1 天前
      MariaDB explicitly checks if the port is non-zero before listening on a TCP socket:

      https://github.com/MariaDB/server/blob/ae998c22b2ce4f1023a6c...

      > if (mysqld_port)

      > activate_tcp_port(mysqld_port, &listen_sockets, false);

      if (mysqld_port) means "if mysqld_port is different from 0"

      This seems to be at least in MariaDB 5.5 (year 2012)

      • rockskon1 天前
        And if you set MariaDB to not have Internet connectivity, it attempts to accomplish this by setting the TCP port to 0. Ostensibly because it's not supposed to be a valid TCP port, except it actually is on thousands and thousands of systems.

        So I don't know if the check you're referencing is evaluated when someone sets their instance of MariaDB to "not" be internet accessible.

        • qzzi22 小时前
          This is the place where the listening socket is initialized, and you can see that if the port is 0, it doesn't do anything. Are you observing different behavior?
    • Avamander2 天前
      You can even use it under Linux if you wish btw, you just can't bind to it, but you can have your firewall redirect port 0 to something else.
      • rockskon2 天前
        You can bind to it on some versions of Linux. I've scanned a bunch of Linux systems that host stuff on port 0.
        • BitPirate2 天前
          Your observation doesn't contradict the use of firewall rules to accomplish this.
          • rockskon2 天前
            It's not some ufw rule that normally prevents hosting a service on port 0.
            • arghwhat1 天前
              That's not what was said. They said that a firewall rule can redirect traffic coming in on port 0 to a running service even when a service cannot bind directly to port 0.

              Binding with port 0 as argument for AF_INET binds a random available port, not port 0. This is documented behavior of Linux and likely every other OS implementing a BSD-style socket interface.

              Also note that ufw is just a tiny, non-standard wrapper for the much more powerful nftables/iptables interfaces

  • kibwen2 天前
    It feels inevitable that computer security will continue evolving towards "active defense" typified by approaches like the above. Look at how complex and many-layered your immune system is, and consider that eventually your computer and/or network will resemble that as well.
    • Laforet2 天前
      IMO this is still a passive type of security through obfuscation. Active defence would be more like returning zip bombs to known intruders in order to crash the process.
      • orev2 天前
        It appears it can be configured to actively return attacks:

        > Portspoof can be used as an 'Exploitation Framework Frontend', that turns your system into responsive and aggressive machine. In practice this usually means exploiting your attackers' tools and exploits

        • pogue2 天前
          I can't seem to figure out how this would work or what this mean. Most of the links to the documentation seem to be missing.

          I'd actually be curious to know if this seemingly ~10 year old software still works. Also how much bandwidth it uses, CPU/RAM etc.

          • pixl971 天前
            There's tons of client software that can be exploited if you send a dangerous payload to it. Think of an exploitable version of Curl that will fail if it receives a bad http header.
          • orev1 天前
            I would guess that it fingerprints the scanning software (e.g. metasploit), then feeds a payload back to it that has a known exploit in the scanning script.
      • 2 天前
        undefined
    • gerdesj2 天前
      IT is growing up gradually. It's only had a few decades to worry about security and I've seen most of them.

      One day, IT will become time served but not today.

    • 0xEF2 天前
      I'm not sure I like this analogy since the immune system regularly malfunctions and damages the host (allergies, cancer, etc) but then again, it does draw some concerning parallels,.
      • 9dev1 天前
        The immune system is an incredible marvel of engineering, protecting you against an infinite number of attack vectors without any online database update after initial installation. It develops countermeasures on the fly, deploys layers of Defense that coordinate intelligently as a swarm, and keeps track of which molecules belong to „you“ while those molecules keep replacing themselves with those obtained from the outside. It constantly ingests signals from billions of sensors over your body which function as first-responder Defense measures as well as repair kits AND evidence capsules for the cavalry that rolls in later. And that’s just a sliver of all the ingenious ways the immune system works.

        I wholeheartedly recommend reading „Immune“ by Phillip Dettmer: https://www.amazon.de/dp/0593241312

        • 0xEF1 天前
          I own a copy. It's a great book.

          I also suffer from severe asthma and allergies, both of which are, by all accounts, not normal or wanted responses of the immune system, not to mention of the low-end of the horror spectrum when it comes to immune function that is terrifyingly harmful to the host.

          It is an exceptionally complex and wonderous thing, but where we diverge is in thinking of it as a "marvel of engineering" or any other prose that implies some sort of guiding hand. It is a far from perfect system, and gets things wrong often enough that we have a global industry creating products to control it.

          • 9dev1 天前
            > […] thinking of it as a "marvel of engineering" or any other prose that implies some sort of guiding hand.

            Heh. It's hard to talk about the way things have been shaped by evolution without implying an actor, because our vocabulary is so very shaped by our subjective experience. I, personally, am reasonably certain that there is no creator in whatever sense. Yet, I'm still awestruck at the ingenuity life on our planet has shown, and the immune system is a never-ending source of wonder to me.

            And while it surely isn't perfect, if we were to look at the raw numbers of incidents versus the number of adversary action against your body—that would be pretty darn near perfect.

        • r00f1 天前
          then vaccination is online database update through forced learning
    • TZubiri1 天前
      Our skin doesn't pretend to be a mouth I don't think.
      • cbzbc1 天前
        But within nature there are examples of this kind of mimicry - i.e butterfly wings pretending to be predators eyes.
        • TZubiri1 天前
          Having all ports open is not a butterfly pretending to be a predator. It's a butterfly pretending to be everything, including other prey that would attract other predators.
      • pixl971 天前
        Add a little DMSO and you can fix that.
    • AtlasBarfed1 天前
      AI should enable high quality and deep honeypots. It's perfect for the current llm capabilities... Just look good enough.
      • RF_Savage1 天前
        Sounds like an easy target for DoS.
  • sedatk2 天前
    I had made a similar attempt at stopping email crawler spambots by creating a web page that produces infinite random email addresses.

    http://web.archive.org/web/20020610054821/http://www.sourtim...

      • sedatk1 天前
        Didn’t know about that term, but it’s funny that an 18 year old Wikipedia article is still four years newer than my web site :)
    • pdimitar2 天前
      Am I missing something or is it truly infinite?
      • sedatk2 天前
        “Next page” link goes to the same page with entirely different set of addresses. So, it’s practically infinite for a crawler.
        • pdimitar1 天前
          Ohhhh I see, thanks for clarifying! Brain fart.

          Indeed, I'd love to use your stuff.

  • aidenn01 天前
    Be aware that if you run something like this, you will get dozens of bug bounty requests by people who scanned your machine and found "known vulnerable version of X" running.
  • wslh2 天前
    In the mid-90s, there was a honeypot product called CyberCop Sting[1], which predated Secure Networks' Ballista[2]. CyberCop Sting could simulate TCP and UDP services across various implementations. If I recall correctly, it also allowed the configuration of TCP/IP stacks to mimic the behavior of different operating systems. These features were particularly innovative almost 30 years ago.

    [1] https://theswissbay.ch/pdf/Gentoomen%20Library/Security/0321...

    [2] https://news.ycombinator.com/item?id=26440139

    • noufalibrahim2 天前
      Fascinating. I was going to ask if there were similar projects. It seems like an obvious thing to do and I was mildly surprised that it never occurred to me and majorly surprised that this was the first time I'm hearing about the idea.
  • veeter2 天前
    Wouldn't that inevitably end up with your server being more closely inspected (or at least more heavily trafficked) by hackers/bots?

    I doubt that most script kiddies are filtering out potential honeypots/things like this from their tools.

    • dietr1ch2 天前
      I guess it'll be obvious that a server is running portspoof after you find that 3 random services that nobody uses anymore seem to be running, but now that you know the host is up, which ports do you tinker with?

      If you assume that scanning/attacking each port on each server takes about the same effort, you are better off finding a machine where the scan/attack has a higher chance of being successful, even if you can tell which ports are spoofed and not worth attacking.

      Maybe you can run portspoof locally on 127.0.0.35 and compare which responses seem different (data, timings) from what you get back, but the space is suddenly 5000x bigger than the handful of ports that normally seem to be open and ports on other servers may seem more likely to yield success.

      • 1oooqooq1 天前
        only answer positively the first ones. use nmap os/service id database to emulate correct response per port.
    • ssklash2 天前
      I agree, returning legit banners on common ports is likely to get you looked at more rather than less, since most tools are not accounting for situations where every single port is open, indicating false positives. This is a common scenario on penetration tests, and while it does end up wasting time, I'd rather not give attackers any more reason to be looking at my infra. I would prefer port knocking, which is kinda of the polar opposite approach to this.
      • tugu772 天前
        Combine the two.

        By default, return nonsense on all ports. But once a certain access sequence has been detected from a source IP, redirect traffic to a specific port from just that IP to your real service.

        • billyhoffman1 天前
          So port knocking, but with also returning junk during the knocking process?
    • NBJack2 天前
      Not a network security expert, but the level of traffic necessary to figure out whats real would probably trip other detection mechanisms in the process.
    • varenc2 天前
      If you're worried about mass internet scans, I can see the downsides. But if you're worried about a targeted attacker scanning just your organization’s IP ranges, this seems like it would hinder them quite a bit.
    • kevin_nisbet1 天前
      Yea, thinking about it for a minute I would expect limited threat models this tool would help with. I think for broad attacks, this would only be somewhat effective if deployed on tens of millions of hosts so it becomes impractical because the adversary is just finding and interacting with the honeypots.

      If you are specifically getting targeted, there might be a slight delay by having the adversary try and exploit the honeypot ports, but if you're running a vulnerable service you still get exploited.

      Also if you're a vendor, when prospective customers security teams scan you, you'll have some very annoying security questionnaires to answer.

    • thayne2 天前
      You also now have to worry about vulnerabilities in portspoof.
      • tugu772 天前
        Put it in an otherwise airgapped dmz.
  • varun_ch1 天前
    I do something similar on my website: https://bini.wales returns 200 for all endpoints and logs all attempts, so it makes for a decent have a honeypot against automated attacks (mostly it just catches people mass scanning for vulnerable WordPress plugins or leftover backdoors). Similarly, https://varun.ch/login emulates a WordPress site (with a twist)
    • arghwhat1 天前
      You will get the WordPress scans regardless of what you return.
  • AbraKdabra2 天前
    Nice, I'm glad the word "honeypot" is never used, once I inherited a "true" honeypot and when I went to check it, it had like 30 ports opened, my reaction was literally "what the fuck is this crap" said out loud.
    • dylan6042 天前
      Isn't that precisely what a honeypot is meant to do though? Having ports open so that script kiddies get excited they get access to something, but the something just isn't anything? Having a honeypot that is locked down doesn't really seem like a honeypot at that point
      • AbraKdabra1 天前
        I do red team, if I see a server with 20+ ports I'll immediately assume it's a honeypot and will stop scanning it. If you are part of a blue team you WANT them to waste time, not instantly know it's a honeypot, that's what I meant for specifically this software.
        • pixl971 天前
          Then you're missing out on juicy stuff...

          I work with a number of overseas clients where getting extra IPv4 is nearly impossible. I'll see them setup a ip forwarding box to tons of different applications. That application may have its own reverse proxy serving even more stuff.

          The real world has some scary things in it.

        • cafeinux1 天前
          So what you're saying is that I should open 30 ports on my critical servers so that they are ignored as honeypots by the attackers? Noted.
          • AbraKdabra1 天前
            I mean sure, absolutely go for it, don't forget to tell me the IP so I can add it to my ignore list.
            • cafeinux1 天前
              Sure, here you are! 127.0.0.1 Thank you for your thoughtfulness.
            • dylan6041 天前
              If you’re a red team member that needs to be told this type of information, you’re not very good at it. You just said this is something you do on your own, so why would you need to be told about it? Either you do it or you don’t.
              • 1 天前
                undefined
              • AbraKdabra1 天前
                youdidntgetthejoke.jpg
        • dylan6041 天前
          I remember the first box I ever built that went online before I had any clue about what I was doing. It had to have looked like a honeypot. Then someone knowledgeable helped me and started shutting things down. They also mentioned Debian being designed as essentially opt-in instead of opt-out to precisely avoid this issue
          • AbraKdabra1 天前
            Exactly, most people confuse the fact that a server being a honeypot doesn't mean "HEY SCAN ME HEY I'M A HONEYPOT SCAN ME SO I CAN GET FREE INFO", you need a balance between exposing yourself and being authentic so the person on the other side doesn't tap Ctrl-C at the sight of a lot of ports opened. I'm mean sure, you'll get a ton of info from bots, but if you're truly using a honeypot for R&D you want the true hackers to knock on your door.
        • remram1 天前
          I think what's neat is that this tool can reply to so many protocols/ports, you can enable whichever subset you want.

          You could also easily tweak it to have the ports spread on a few different IP addresses instead of a single one. That would make them much less obvious.

      • londons_explore2 天前
        The usual trick is to have many pots, each of which is mostly but not entirely locked down.
    • treesknees2 天前
      Perhaps one of us misunderstands the term honeypot, it could be me, but IMO this seems perfectly usable to create a honeypot system on your network.

      A honeypot is used to attract and detect an attacker, usually logging their actions and patterns for analysis or blocking. This tool could use more logging beyond just iptables, and sure it’s not _by itself_ a honeypot, but the idea isn’t that far off.

      All that aside, the GitHub page suggests this “enhances OS security” which I don’t buy one bit. Sure it provides some obfuscation against automated service scanners, but if you have a MySQL server listening on 3306, and an attacker connects to 3306, they’re still talking to MySQL. Doesn’t matter if all the other 65534 ports are serving garbage responses.

      • skeledrew2 天前
        All the responses look legitimate though, so even if someone does hit that MySQL, they'll be hard pressed determining it's not part of the noise of the other 65.5k legitimate-seeming responses. They'll just be wasting resources trying to get beyond such a broad surface to gain any depth. And if they already know to target MySQL (or any other particular service), it's all moot in any case, but also they wouldn't be doing a spectrum scan.
      • robertlagrant2 天前
        But how do you know it's real? You might be running Postgres on 5432 and them connecting to 3306 might respond with a lookalike mysql.
        • jaktet2 天前
          I would imagine the amount of time someone spends “investigating” a port like 3306 is the amount of time it takes for the existing automated software to run a check to see if the mysql server is vulnerable. So unless the service on 3306 is able to spoof a vulnerable mysql server, they don’t care if it’s real or not. They just care if their tool reports a vulnerable service.
          • robertlagrant1 天前
            Why would they only care about that if they're trying to hack into a system?
            • jaktet1 天前
              Unless they are specifically targeting that system my assumption would be that they are just looking for open ports for known services, then if found checking if exploits work or not, and if not move on. I could very well be wrong but from a practical standpoint I can’t imagine this service mattering to someone that is running a program to scan for open ports with vulnerabilities.
              • robertlagrant1 天前
                I might just be regurgitating the article, but isn't the point that it can massively increase the time and effort it takes to scan a system for valid vulnerabilities?
                • jaktet1 天前
                  What I’m saying though is that if I were running a script like this, unless I’m targeting a specific ip, I would just be scanning known ports for known vulnerabilities. I wouldn’t be scanning every single port.
      • AbraKdabra1 天前
        I do red team, if I see a server with 20+ ports I'll immediately assume it's a honeypot and will stop scanning it. If you are part of a blue team you WANT them to waste time, not instantly know it's a honeypot, that's what I meant for specifically this software.
  • yonatan80702 天前
    > it binds to just ONE tcp port per a running instance !

    How does that work? Do you need to run 65535 instances to cover all ports?

  • halayli1 天前
    or not respond at all. On linux you can disable the rst behavior using

      sysctl -w net.ipv4.tcp_reset_reject=0
    • jfuu1 天前
      Do I need a specific kernel module loaded for this? I just get:

        sysctl: cannot stat /proc/sys/net/ipv4/tcp_reset_reject: No such file or directory
      This also gives nothing:

        sysctl -a | grep tcp_reset_reject
  • PaulAJ2 天前
    Would this also be potentially a DoS amplifier? If you sent it the right spoof packets, would it return a lot of packets to the apparent origin?
    • ryan-c2 天前
      For TCP services, it won't send a large packet until the "client" provides a correct ACK packet to complete the three way handshake.

      This would indeed be pants-on-head for UDP.

    • cryptonector2 天前
      Amplification attacks are mainly a concern with UDP because UDP does not have a return routability check, while TCP does.
      • pogue2 天前
        This sent me down a rabbit hole remembering the DDoS attacks the skids were coming up with in the 90s. The famous Pepsi & Smurf attacks that would spoof a connection from one server running CHARGEN [1] and send it to another running ECHO [2] and it would just send an endless flood of characters to the victim. It might have been one of, if not, the first distributed denial of service attacks. It's wild to think people would leave all the ports open on their servers that would just spew endless characters and etc. Those were the days when everyone was so open and trusting of other users on the internet.

        CORRECTION: This was actually name "Fraggle". [3] Smurf involved ICMP flooding.

        I remember seeing these on EFnet IRC in the 90s. Since the code is so ancient, I thought I'd share it. I'm sure these would be useless in modern times, but they're an interesting bit of internet history. It also hilarious to look at the comments and see old IRC handles you recognize. Who remembers napster before he developed the p2p software that made him famous?

        Pepsi.c https://cdn.preterhuman.net/texts/underground/hacking/exploi...

        This site has loads of old historic exploits preserved one folder up.

        Smurf.c https://gist.github.com/JasonPellerin/2eecbf1f7e49750d2249

        [1] https://en.wikipedia.org/wiki/Character_Generator_Protocol?w...

        [2] https://en.wikipedia.org/wiki/Echo_Protocol?wprov=sfla1

        [3] https://en.wikipedia.org/wiki/Smurf_attack?wprov=sfla1

        • esseph2 天前
          I remember. I was hanging out in #ansi and #hav0k on EFNet at the time with nyt, soldier, v9, Napster, etc.

          Fun times. I miss those days.

    • throwaway9843932 天前
      [dead]
  • amyfp2142 天前
    the natural evolution of such an approach is to also seemingly advertise a variety of security holes.. and maintain a blacklist silently that feeds actual production systems as a firewall, should said hacker reach that point
  • westurner2 天前
    How does this compare to a tarpit?

    Tarpit (networking) https://en.wikipedia.org/wiki/Tarpit_(networking)

    /? inurl:awesome tarpit https://www.google.com/search?q=inurl%3Aawesome+tarpit+site%...

    "Does "TARPIT" have any known vulnerabilities or downsides?" https://serverfault.com/questions/611063/does-tarpit-have-an...

    https://gist.github.com/flaviovs/103a0dbf62c67ff371ff75fc62f... :

    > However, if implemented incorrectly, TARPIT can also lead to resource exhaustion in your own server, specifically with the conntrack module. That's because conntrack is used by the kernel to keep track of network connections, and excessive use of conntrack entries can lead to system performance issues, [...]

    > The script below uses packet marks to flag packets candidate for TARPITing. Together with the NOTRACK chain, this avoids the conntrack issue while keeping the TARPIT mechanism working.

    The tarpit module used to be in tree.

    xtables-addons/ xt_TARPIT.c: https://github.com/tinti/xtables-addons/blob/master/extensio...

    • lstamour2 天前
      Haven't looked into this too deeply but there is a difference between delaying a response (requests get stuck in the tarpit) vs providing a useless but valid response. This approach always provides a response, so it uses more resources than ignoring the request, but less resources than keeping the connection open. Once the response is sent the connection can be closed, which isn't quite how a tarpit behaves. The Linux kernel only needs to track open requests in memory so if connections are closed, they can be removed from the kernel and thus use no more resources than a standard service listening on a port.

      There is a small risk in that the service replies to requests on the port, though, as replies get more complicated to mimic services, you run the risk of an attacked exploiting the system making the replies. Another way of putting it, this attempts to run a server that responds to incoming requests on every port, in a way that mimics what might run on each port. If so, it technically opens up an attack surface on every port because an attacker can feed it requests but the trade-off is that it runs in user mode and could be granted nil permissions or put on a honeypot machine that is disconnected from anything useful and heavily tripwired for unusual activity. And the approach of hardcoding a response to each port to make it appear open is itself a very simple activity, so the attack surface introduced is minimal while the utility of port scanning is greatly reduced. The more you fake out the scanning by behaving realistically to inputs, the greater the attack surface to exploit, though.

      And port scanning can trigger false postives in network security scans which can then lead to having to explain why the servers are configured this way and that some ports that should always be closed due to vulnerability are open but not processing requests, so they can be ignored, etc.

      • westurner1 天前
        The original Labrea Tarpit avoids DOS'ing it's own conntrack table somehow, too;

        LaBrea.py: https://github.com/dhoelzer/ShowMeThePackets/blob/master/Sca...

        La Brea Tar Pits and museum: https://en.wikipedia.org/wiki/La_Brea_Tar_Pits

        The NERDctl readme says: https://github.com/containerd/nerdctl :

        > Supports rootless mode, without slirp overhead (bypass4netns)

        How does that work, though? (And unfortunately podman replaced slirp4netns with pasta from psst.)

        rootless-containers/bypass4netns: https://github.com/rootless-containers/bypass4netns/ :

        > [Experimental] Accelerates slirp4netns using SECCOMP_IOCTL_NOTIF_ADDFD. As fast as `--net=host`

        Which is good, because --net=host with rootless containers is security inadvisable FWIU.

        "bypass4netns: Accelerating TCP/IP Communications in Rootless Containers" (2023) https://arxiv.org/abs/2402.00365 :

        > bypass4netns uses sockets allocated on the host. It switches sockets in containers to the host's sockets by intercepting syscalls and injecting the file descriptors using Seccomp. Our method with Seccomp can handle statically linked applications that previous works could not handle. Also, we propose high-performance rootless multi-node communication. We confirmed that rootless containers with bypass4netns achieve more than 30x faster throughput than rootless containers without it

        RunCVM, Kata containers, GVisor all have a better host/guest boundary than rootful or rootless containers; which is probably better for honeypot research on a different subnet.

        IIRC there are various utilities for monitoring and diffing VMs, for honeypot research.

        There could be a list of expected syscalls. If the simulated workload can be exhaustively enumerated, the expected syscalls are known ahead of time and so anomaly detection should be easier.

        "Oh, like Ghostbusters."

        • immibis1 天前
          I tried something like that. It didn't work because the application added the socket to an epoll set before binding it, so before it could be replaced with a host socket. Replacing the file descriptor in the FD table doesn't replace it in epoll sets.
  • snvzz2 天前
    Cute as this is, most attackers aren't obsessed with you, but are looking at just one port, the one they have an exploit for.

    And if you have that port open with a vulnerable service, they'll find and exploit it, irrespective of whether this tool is running.

    • TacticalCoder2 天前
      If it was the case that the way all attackers worked was to have one ready exploit and only scan the port on which that exploit could work, then why are there good guys even seeing port scanning at all?
  • debarshri1 天前
    What would be great is if there is a network call detected on port where there is no actual service listen, if the tool could create alerts and send it to SIEM it will create lot of value.
  • TZubiri1 天前
    Or just don't
  • ENOTTY2 天前
    To speed up a comprehensive port probe with service discovery, one could use a few different systems on different IPs and divide the work.
  • pmarreck1 天前
    Well, that is certainly one way to attack the problem!
  • justmarc1 天前
    Bringing back fond memories of the happy 90s
  • ajsnigrutin1 天前
    > it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).

    So, every automated portscan from a hacked machne will waste 200MB of my bandwidth?

    • sigio20 小时前
      Yes, but it will also waste 200MB of the attacker's bandwidth, which is a more limited resource.
  • stormbeard2 天前
    How is this better than configuring an iptables redirection?
    • zamadatix2 天前
      iptables only provides one of the two approaches detailed, namely the "ack" portion. For the "fake a random real service on each port" portion you'd need something additional like this.
  • PeterWhittaker2 天前
    Interesting concept, am curious how this withstands community review and analysis.

    Bit puzzled though, by the statement made immediately after stating that it is GPL2: For commercial, legitimate applications, please contact the author for the appropriate licensing arrangements.

    Since the GPL2 doesn't permit restricting what others do with GPLd software, I don't think this statement is doing what the author hopes; they might want to consult a lawyer.

    (IANAL, etc., but there is nothing in there to prevent me, e.g., from building a business out of this, charging gazillions, and keeping it all for myself, provided I make the source available to my customers.)

    • ddulaney2 天前
      Provided you make the source for any derivative works available to your customers.

      It’s not uncommon that in situations where that’s undesirable (e.g. a closed-source C library that statically links a GPL’d project) that the library owner pays a fee for a separate license allowing that closed-source distribution.

      Also, this is sometimes done when it’s not strictly legally necessary, either for risk avoidance or as a way to support the project in corporate environments where “licensing fee” gets waved through but “donation” gets blocked.

      • ijustlovemath2 天前
        I believe the this doesn't apply if you're using existing APIs or using GPL code as a library, otherwise many many corporate codebases would be forced to be open sourced.
        • mlyle2 天前
          GPL absolutely applies when using a library (unless a separate exception has been made). Of course, the LGPL is often used for libraries when this isn't desired by the author.
        • thayne2 天前
          > or using GPL code as a library

          No. The copyleft nature still applies to libraries. That's why the LGPL exists. And the exception in the license for gcc for programs compiled by gcc.

          • jesprenj2 天前
            Only if you distribute the binary/source of the GPLd library. You may build a non-GPL program that dynamically links with a GPL library and freely distribute it. As long as your program does not contain copyrightable code, you do not have to comply with the licence requirements, because you do not need a licence at all to do that. Same applies for static linking if you only distribute the source and require your users compile the program themselves.

            This is not limited to GPL, but applies to proprietary libraries as well. It's OK to require a proprietary library at runtime and you don't need a licence to do that. As long as you do not distribute some intellectual property, copyright law and its limitations are not applicable at all.

            This sounds quite assertive, so compulsory "IANAL, this is just my interpretation".

            • spauldo2 天前
              This all sounds awful close to the whole CLISP/ReadLine debacle. Basically, CLISP (a Lisp implementation) originally linked to ReadLine, a GNU library under the GPL. Richard Stallman argued that the author of CLISP had to remove ReadLine or license CLISP under the GPL.

              The author originally created his own non-GPL library with the same interface as ReadLine and distributed that, noting that the user could (at their own option) link CLISP with GNU ReadLine instead if they wanted that functionality. Stallman argued that wasn't sufficient.

              In the end, CLISP ended up being relicensed to GPL. Note though that no judge ever looked at it, so things might have turned out differently if it had gone to court.

            • Henchman212 天前
              I love these progressively more descriptive details about the GPL/LGPL. It's like a manifestation of the Futurama "You are technically correct; the best kind of correct" meme
            • immibis2 天前
              Note that if your program is very intertwined with the library, it might still be considered a derivative work.

              The Linux kernel has opinions about this: symbols marked with EXPORT_SYMBOL are considered symbols that every operating system would have, so using them doesn't mean you are writing a derivative work. Symbols market with EXPORT_SYMBOL_GPL are considered implementation details so specific to Linux that if you use them, you can't say that your module isn't derivative of Linux.

    • dijit2 天前
      You can buy your way out of the GPL if the authors are willing to relicense.

      Stallman was actually an advocate of doing this.

      https://www.fsf.org/blogs/rms/selling-exceptions

      • PeterWhittaker2 天前
        Agreed, cf other comments below. My impression is that that is what this person hopes for and that they think that somehow the GPL prevents others from using this code commercially, which it manifestly does not. (Such use would be subject to the GPL, of course.)
    • pc4862 天前
      I believe the author is saying they're willing to relicense the software for commercial integrations.
      • PeterWhittaker2 天前
        I believe you're right, that was my conclusion as well. I'm not sure that that will accomplish what they hoped.

        To continue my original example, I could, in theory, take this code, ensure that it works with arbitrary independent pseudo-services, create my own such services, under a proprietary licence, and distribute the whole as an aggregate, which is permitted by the GPL.

        The author likely seeks to provide commercial licensing for those interested in integrating their pseudo-services as libraries, which would require either that they be GPLd or that the original code be licensed in some other way.

        I hope the author achieves the success they hope for without the licensing and legal hell they may have set themselves up for. It can be a great disappointment to have one's work turned into someone else's success by a someone or someones with more legal and licence cunning than one's self.

        (Note: that ain't me, I've just seen that exact scenario playout more than a fair few times....)

        • tptacek2 天前
          Yes, people can do that. It's inconvenient and risky, so serious customer prospects will pay to avoid it. This is one of the more common open source commercialization strategies; one of the earlier examples is Sleepycat.
    • kiririn2 天前
      The original copyright holder can enforce what they like
      • PeterWhittaker2 天前
        Not quite: once you GPL something, while you retain copyright and can licence it in other ways, the GPL itself forbids you from restricting what others can do with it if they take it under the GPL; the one thing they cannot do is change its licence, but you cannot prevent them from selling it, e.g. The FSF are very, very clear on this.
        • tptacek2 天前
          You don't care, because whatever a GPL taker does, they're still bound by the viral copyleft, you're not, and you can sell that privilege to others.
          • PeterWhittaker2 天前
            Not if the original author stills holds the copyright, which is likely the case: the GPL does NOT remove your copyright, and in fact depends upon it.
            • tptacek2 天前
              I understand us to be talking about the options available to the original copyright holder, yes.
    • 2 天前
      undefined
  • throwaway9843932 天前
    [dead]
  • locusofself2 天前
    Could this not trivially be accomplished with a service listening on one port and 'iptables' rules?
    • tredre32 天前
      Per the README

          it binds to just ONE tcp port per a running instance !
    Configure your firewall rules:
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444
  • phoronixrly2 天前
    > By using those two techniques together:

    > your attackers will have a tough time while trying to identify your real services.

    So... Security through obscurity?

    > the only way to determine if a service is emulated is through a protocol probe (imagine probing protocols for 65k open ports!).

    So... Security through obscurity?

    > it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).

    So... Security through obscurity?

    Idk... Maybe I am not versed enough in infosec but this also begs the question are you not attracting more interest if your system lights up green for an exposed Redis instance for an adversary to notice you and take a closer look for anything else vulnerable.

    • commandar2 天前
      >So... Security through obscurity?

      This is not a valid criticism on its own.

      Security through obscurity is bad when obscurity is the only thing stopping an attacker. It's a meme because obscurity is not a substitute for stronger security mechanisms. That does not mean it cannot be an appropriate compliment to them, however.

      If I wanted to hide a gold bar, sticking it in an open hole behind a painting on the wall wouldn't be particularly great security. As soon as a robber found the hole, the entirety of my security is compromised.

      If I put it in a safe on the wall, it's much more secure. The robber has to drill through the lock to get the gold bar.

      If I put it in a safe behind a painting on the wall, the robber has to discover that there's a safe there before they're able to attempt drilling through it. Bypassing the painting is trivial compared to bypassing the safe, but the painting reduces the chance of the actual safe being attacked (up until it doesn't!)

      Security should be layered. Obscurity will generally be the weakest of those layers, but that doesn't mean that it has no value. As long as you're not using obscurity as a replacement for stronger mechanisms, there's nothing wrong with leveraging it as part of a larger overall security posture.

    • dcsommer2 天前
      Accepted cryptography is also security through obscurity. The thing is that the amount of obscurity must be quantified. Cryptanalysis allows one to calculate these quantities of "obscurity." Then, a full study of effectiveness combines that with the costs associated with brute-forcing the bounds arrived at by the cryptanalysis.

      Other parts of infosec are the same, but often with less well-quantified measures of effectiveness. E.g. memory hardening techniques like FORTIFY_SOURCE and MTE are effective in raising the difficulty of exploiting memory vulnerabilities, but under some conditions the vulnerabilities may still be exploitable.

      Before using labels like "security through obscurity" one has to first answer: how much does the technique raise the cost for attackers? This is what articles about security systems (including this one) should focus on. In the end, hacking, like most things, comes down to economics.

      • phoronixrly2 天前
        How much do you think this tool raises the cost for attackers?
        • altairprime2 天前
          Most modern attacks succeed by remaining undetected and this directly counters that. When combined with “every IP address responds to ARP and ICMP” (as discussed recently), you can make it impossible for an attacker to scan your network without firing off a honeypot alarm that introduces increasing packet loss on the attacker’s host as scans continue, providing enough time for an oncall human to finish what they’re doing and get to a keyboard to deal with the intrusion.

          The next level of value for this is to TLS-encrypt random traffic between ports and hosts on the network, generated and injected by the switch into each network port, so that sniffing traffic is not an effective discovery mechanism. After that, address and port randomization of servers using a time-linked randomization seed stored in an HSM, so that attackers have no way to pierce the onion skin if they lose control of the HSM-bearing host.

          This is all the natural outgrowth of container approaches, but in labor terms is nightmarishly complicated if you aren’t willing to spend for it.

          • idunnoman12221 天前
            No, instead of dropping all the packets into a black hole, you could put the packets into a hey we just got a scan request pile and if the pile is bigger than some heuristic call the on-call guy it’s completely unnecessary to respond to him to have this functionality
        • anyfoo2 天前
          The “cost” includes all resources, including time. Some classes of attackers will be significantly slowed down by this.
    • mannyv2 天前
      People who criticize 'security through obscurity' don't know how hard it is to reverse engineer shit.

      Either that or they're researchers or adversaries playing a game. Because trying to figure out WTF is going on is hard, so any clues you can extract from your targets makes things easier.

      • voidfunc2 天前
        Agree, a lot of people misunderstand the purpose of security through obscurity.. it's a layer on top of other layers of security designed to waste attacker time. If your attacker is a nation state that's probably not going to stop it, but it might stop a lot of other lesser threats who realize it's not worth the effort.
    • tw042 天前
      When you see someone probing every single port on the box, you know they’re either a bad actor, or a security tool. No legit user is going to keep hammering ports without a known service.

      Bad actors you can either block or counter attack. Security tools should be registering their address with whatever internal tracker you’re using so they can be white listed.

      • phoronixrly2 天前
        > When you see someone probing every single port on the box, you know they’re either a bad actor

        That is not what the tool is for though... It is a tool specifically made to hinder... IDK... Making any information out of an NMAP scan?

    • ryan-c2 天前
      The objective here is to give script kiddies and other spray-and-pray attackers the finger.
      • phoronixrly2 天前
        How does it do that though?

        You light up in a skid's Internet-wide scan for let's say Redis. They try and fail to dump anything from it so they proceed and run a vulnerability scanner on your host (skids gonna skid)... It proceeds to discover IDK... a trivial SQLi you coded like a dumbass...

        • anyfoo2 天前
          It’s literally an arms race. You make it more expensive for attackers to progress. Yes, security through obscurity is bad on its own, but it’s not necessarily useless as an additional measure.

          For a similar concept, look at the delay you get after entering a password wrong to a login prompt: That technically does not add any barrier whatsoever, but it does make it much harder for an attacker to brute force the password.

        • rvba2 天前
          They try to run some other attack on you. For something you dont have.

          If more servers use the tool, they waste attacker's time. A bit like herd immunity

    • wakawaka282 天前
      Security through obscurity is somewhat helpful even though it can be defeated. Take camouflage and honeypots for example. It would probably be unwise to use this without a thorough audit of the code however.
    • anyfoo2 天前
      Look up post-exploit mitigations, such as ASLR and pointer authentication. These are mechanisms that only become relevant when software has already been breached. In most cases, they cannot entirely prevent further progress by the attacker, just make it significantly harder.

      Similar principle (only on the other end).