I’ve read an article which describes how to simulate the close ports as open in Linux by eBPF. That is, an outside port scanner, malicious actor, will get tricked to observe that some ports, or all of them, are open, whereas in reality they’ll be closed.
How could this be useful for the owner of a server? Wouldn’t it be better to pretend otherwise: open port -> closed?
A benign scan could just be looking for an ftp server to connect to or a repeater or relay server of some sort. There are plenty of open services people make available for free and the fact that you would consider it an attack it doesn’t make it one.
At minimum you could be alerted to look for someone attempting to connect to your ftp server with a single basic anonymous authentication vs someone flooding that port with known malicious software attacks, and block the latter across your entire network and effectively ignore the former. Really it seems like you’re advertising your lack of imagination in this context than a legitimate lack of possible uses for spoofing open ports.