Serving false signatures to attack scanners with Portspoof


Article from Issue 160/2014

The Internet is a tough place to live – especially for publicly accessible computers. A small tool called Portspoof makes port scanning a real challenge for attackers.

Seasoned attackers, and even some amateur cyber-vandals, find sport in trying to scan servers and hijack them at the same time (Figure 1). Firewalls and Intrusion Detection/Prevention systems can help, but if a single tool could truly stop all potential attacks, the Internet intrusion industry wouldn't even exist.

A professional intrusion attempt is typically preceded by reconnaissance and scanning. Many attackers simply perform a scan, which is easily automated with tools like Nmap. An attacker who discovers a firewall and similar defensive system can often guess which ports and services are worth attacking. However, a tool called Portspoof [1] intervenes to cause complications and confusion for the attacker. Portspoof answers port requests with a wild mix of signatures and payloads. This confusing and unwanted information slows down any attempted port scan, forcing the attacker to manually evaluate the results in a time-consuming process.

Portspoof was developed in 2012 by Piotr Duszynski, who calls his program a "Service Emulator and Frontend Exploitation Framework." The application is available under the GPLv2 and is implemented in C++.


Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly’s Column: PortSentry

    To celebrate 10 years of his column, Charly sets up a sensitive detector that measures the cosmic background radiation of the Internet.

  • Netfilter's Recent Module

    Netfilter’s Recent module builds a temporary blacklist to keep intruders off your network.

  • Customizing PortSentry

    PortSentry monitors your ports and lets you know when they’ve been scanned.

  • Nmap Methods

    How does the popular Nmap scanner identify holes in network security? In this article, we examine some Nmap analysis techniques.

  • Books

    Reviews of O'Reilly's Beautiful Code: Leading Programmers Explain How They Think, Prentice Hall's The Official Damn Small Linux Book, and Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort from No Starch Press.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95