Oh yea, voodoo nodes would probably show up as no ports open.
If the scan was more thorough it would show TCP/UDP port 443 open, since on voodoo exit IPs that's the only thing open.
But if you scan the entry IP for that voodoo node (the thing you connect to), it would show all ports as open.
We did discuss full voodoo a while back.
Basically it was 2 VPSes for the circuit, one in front of the dedicated server and one behind it.
The added benefits for clients were:
The entry VPS doesn't know the websites you're visiting
The dedicated server doesn't see your real IP or the websites you visit
and the exit VPS doesn't see your real IP
The main added benefit to CS was that the dedicated server's IP stays hidden, which protects it from abuse complaints or DDoS or whatever.
The downside is that because the dedicated server doesn't add an extra hop, there's really no way to verify the whole thing.
We ended up not doing full voodoo simply because VPS bandwidth is shit, and expensive as hell in most regions.
It's cheaper to just use dedicated servers.
Some of the half voodoo (you -> dedi -> VPS -> internet) ones are still up, but we might ditch them once I figure out a decent replacement.
What I'd like to do is replace them with a [you -> dedi -> dedi (repeat) -> internet] type of voodoo thing, if that's feasible. Basically doing a double tunnel, but with one step for the client. I dunno yet how to pull that off, maybe specifying a certain password, or some other argument to the whole thing that tells server to tunnel that session through another VPN server... or something. It would be more economical if I could pull that off without having to buy more IPs.
Seems doable, just need to figure out the best way to do it.
And just because, I'm now listening to the 1980 self-titled Iron Maiden album =D