Port Hopping - Is it for defence or Attack ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Port Hopping - Is it for defence or Attack ?

 

I was just going through Tactics, Techniques, and Procedures (TTPs) and saw port hopping and still confused is it for defence or attack. If port keeps changing randomly then how would the connection stay connected?.
 
Please share any article that explains clearly about port hopping or any easy way to understand.
 
#Portmapping #CybersecurityFundamentals.
1 REPLY 1

Cyber Elite
Cyber Elite

@sowndarya.h.sampath,

It can be either. It can be defensive if you're dynamically modifying the service port and changing the port over time to sort of obfuscate what port you're actually using for the service. It can also be used from an attack perspective for the same sort of reasons, it's just a technique that makes detection of the service a bit more complicated and harder to detect. If I'm the one using it as a technique to secure some public-facing services that are only used by my applications I can call it defensive, but if I'm using it to hide a C2C network then it would be labelled as an attack.

 

As to the question of how something can possibly keep the connection online the basis is essentially that as long as you know where to look the actual port doesn't matter. If I know that I'm using 1,000 ports as an example, it takes almost no time to scan that range and figure out what port the service is actively listening on.

Likewise if I already have an established connection and I have a service acting as a server for the clients, you can just communicate to the clients the new port that you'll be listening on prior to migrating to that new port. So if a part of C2C as an example I would just push an update to the clients that tell them that they should now utilize X port instead of Y port. Generally you'd actually feed out a list of extensive control nodes on different ports with every update just to ensure that a single node going down or a port not being accessible wouldn't potentially bring the whole C2C network down and cause you to have abandoned bots. I've seen lists of hundreds of control nodes with vastly more ports in use before as well since you really don't want those bots to fallback to their initial config where the primary C2C enrollment nodes may have already been identified.

  • 329 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!