Port Hopping - Is it for defence or Attack ?

@sowndarya.h.sampath,

It can be either. It can be defensive if you're dynamically modifying the service port and changing the port over time to sort of obfuscate what port you're actually using for the service. It can also be used from an attack perspective for the same sort of reasons, it's just a technique that makes detection of the service a bit more complicated and harder to detect. If I'm the one using it as a technique to secure some public-facing services that are only used by my applications I can call it defensive, but if I'm using it to hide a C2C network then it would be labelled as an attack.

As to the question of how something can possibly keep the connection online the basis is essentially that as long as you know where to look the actual port doesn't matter. If I know that I'm using 1,000 ports as an example, it takes almost no time to scan that range and figure out what port the service is actively listening on.

Likewise if I already have an established connection and I have a service acting as a server for the clients, you can just communicate to the clients the new port that you'll be listening on prior to migrating to that new port. So if a part of C2C as an example I would just push an update to the clients that tell them that they should now utilize X port instead of Y port. Generally you'd actually feed out a list of extensive control nodes on different ports with every update just to ensure that a single node going down or a port not being accessible wouldn't potentially bring the whole C2C network down and cause you to have abandoned bots. I've seen lists of hundreds of control nodes with vastly more ports in use before as well since you really don't want those bots to fallback to their initial config where the primary C2C enrollment nodes may have already been identified.