I guess it'll be obvious that a server is running portspoof after you find that 3 random services that nobody uses anymore seem to be running, but now that you know the host is up, which ports do you tinker with?

If you assume that scanning/attacking each port on each server takes about the same effort, you are better off finding a machine where the scan/attack has a higher chance of being successful, even if you can tell which ports are spoofed and not worth attacking.

Maybe you can run portspoof locally on 127.0.0.35 and compare which responses seem different (data, timings) from what you get back, but the space is suddenly 5000x bigger than the handful of ports that normally seem to be open and ports on other servers may seem more likely to yield success.

only answer positively the first ones. use nmap os/service id database to emulate correct response per port.

I agree, returning legit banners on common ports is likely to get you looked at more rather than less, since most tools are not accounting for situations where every single port is open, indicating false positives. This is a common scenario on penetration tests, and while it does end up wasting time, I'd rather not give attackers any more reason to be looking at my infra. I would prefer port knocking, which is kinda of the polar opposite approach to this.

Combine the two.

By default, return nonsense on all ports. But once a certain access sequence has been detected from a source IP, redirect traffic to a specific port from just that IP to your real service.

So port knocking, but with also returning junk during the knocking process?

Not a network security expert, but the level of traffic necessary to figure out whats real would probably trip other detection mechanisms in the process.

If you're worried about mass internet scans, I can see the downsides. But if you're worried about a targeted attacker scanning just your organization’s IP ranges, this seems like it would hinder them quite a bit.

Yea, thinking about it for a minute I would expect limited threat models this tool would help with. I think for broad attacks, this would only be somewhat effective if deployed on tens of millions of hosts so it becomes impractical because the adversary is just finding and interacting with the honeypots.

If you are specifically getting targeted, there might be a slight delay by having the adversary try and exploit the honeypot ports, but if you're running a vulnerable service you still get exploited.

Also if you're a vendor, when prospective customers security teams scan you, you'll have some very annoying security questionnaires to answer.

You also now have to worry about vulnerabilities in portspoof.

Put it in an otherwise airgapped dmz.