2025-10-22 –, Europe
Port Mimic is a tool that lays out a trap by listening to every port on a given interface. For normal users it will be completely invisible, but as soon as a port scanner comes around, it will turn into a wild beast.
How it works
Port Mimic uses nftables to set up a trap. It will listen to every port on the given interface and redirect the traffic to a honey port. As soon as a threshold of packets are received on trap ports, it will put the offender on a bad IP list and redirect all traffic to a our mimic program.
So what a attacker will see has nothing to do with the real target, think internet connect teapot or the worlds most welcoming database.
Ideally that will waste their time, alert defenders to set countermeasures or if the machine is connected to the internet, it will muddy the waters and make port scanners less reliable for target discovery.
Listening ports are excluded from the trap, so you don't have to worry about users being affected.
Credits
This project is inspired by portspoof
Major differences:
- This project is written in Python and uses nftables to set up the trap, so it doesn't require root or you fiddling with iptables.
- There is no need to manually exclude ports from the trap, it will automatically exclude the ports that are open on the interface.
- The mimic will cover your regular ports as soon as it detects a port scanner, so you don't have to worry about it.
- Instead of opening all ports, we will pretend to be something else, so an attacker will not notice or be alerted to our shenanigans (ideally).
Jürgen Brandl worked as a senior cyber security analyst at the Federal Ministry of the Interior and has 10 years of experience working in incident response, protecting both governmental and critical infrastructure from cyber attacks. In his current role, he is researching and advocating for the need to use AI to face the emerging threat landscape.