Instead of informing an attacker that a particular port is CLOSED or FILTERED a system with Portspoof will return SYN+ACK for every port connection attempt.
As a result it is impractical to use stealth (SYN, ACK, etc.) port scanning against your system, since all ports are always reported as OPEN.
Portspoof has a huge dynamic service signature database, that will be used to generate valid service signatures and feed them to your offenders scanning software.
Scanning software usually tries to determine a service version that is running on an open port. This step is mandatory if one would want to identify port numbers on which you are running your services on a system behing the Portspoof.
Portspoof will respond to every service probe with a valid service signature, that is dynamically generated based on a service signature regular expression database.
As a result an attacker will not be able to determine which port numbers your system is truly using.
By using those two techniques together:
- your attackers will have a tough time while trying to identify your real services.
- the only way to determine if a service is emulated is through a protocol probe (imagine probing protocols for 65k open ports!).
- it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).
Portspoof can be used as an 'Exploitation Framework Frontend', that turns your system into responsive and aggressive machine. In practice this usually means exploiting your attackers' tools and exploits.