The Anonymous Port Protocol (APP) is a conceptual protocol. This means it has not been developed and does not exist in the wild. However, it is a great protocol to question the modern thoughts on how we view technical operations and standards. APP is a protocol that acts in a server/client configuration to obfuscate what services run on each networked port (socket) in a way that prevents successful automation of many network based attacks. It is akin to ASLR for port numbers. Yes, the ram technique that prevents buffer overflows can be leveraged to reduce network based attacks. There are two types of APP that can be discussed.
The first, all ports and services (sockets) are converged into a single port on workstations where a workstation service reads a TCP header tag in the “options” field to “decompress” the sockets for delivery to the application layer. We will call this single-port APP (SAPP).
The second is where the client software listens on a predefined set of ephemeral ports for UDP “Change Ports” messages from the server then uses port forwarding within the operating system to reassign all sockets to new ports across the enterprise uniformly. We will call this Random APP (RAPP).
Single-Port Anonymous Port Protocol
50,000 Foot SAPP View
At a 50,000 foot view of SAPP an attacker on a network whom performs a reconnaissance scan will not be able to identify any open ports on any hosts that use SAPP. On the workstation users would “see” very little performance degradation because the SAPP software acts as a firewall blocking all incoming traffic that is not received on the preselected consolidated port.
SAPP would leverage port redirection to forward all incoming traffic from the selected port by reading the SAP-specific header information contained in the options field of the TCP header. For all outgoing traffic, SAPP would be limited to adding the SAP tag to the TCP headers. All traffic returned to ephemeral ports for connections that originated from the workstation would remain unaffected.
Getting Technical
If we use Windows as our case study, SAPP would integrate with the Windows Firewall. The data from the application would work its way to the TCP layer where SAPP would add the TCP header and configure the Windows Firewall to port forward all traffic through a specified port. Within the TCP header, SAPP would add a “stream identifier” in the “options” field of the header. This “stream identifier” would include a code for the application being used, the session, and and the SAPP version.
SAPP would also open listeners on 1 predefined ephemeral port. This listener would be used for command traffic from a central management console. The management console would permit admins to “push” configuration updates to APP across the enterprise or remotely manage individual instances of SAPP using cryptographically sound transmissions.
Benefits & Drawbacks of SAPP
SAP is pure security through obscurity and does not play well with ICMP or UPD without encapsulating those protocols within a TCP wrapper. Additionally, if an attacker is able to read the TCP headers because encryption is not used or is not used/configured correctly SAPP is trivial to overcome.
Despite these glaring harms, SAPP is a neat toy to play with because attackers who do gain the capability to scan the network will receive no evidence of any live hosts on the network. Additionally network based firewalls can be secured to a single open port. Using network based port-forwarding, network firewalls can support assigning a different SAPP port for every VLAN. Having 2 open ports per VLAN (the command port and the SAPP port) would immensely decrease the overall attack surface . . . maybe.
Random Anonymous Port Protocol
50,000 Foot View of Random Anonymous Port Protocol
An attacker scans a network and gains a list of open ports and protocols. Five minutes later the attacker tries to enumerate the ports for further analysis and a different set of ports and protocols seem to be active. On a user workstation a RARR service is running in the background and the user notices no degradation of performance. RAPP acts as a client software that receives a command signal from a central management console that provides configuration details to the client software.
Getting Technical
RAPP works by configuring port assignments and port banners. The central management console permits the administrator a choice of four RAPP selections: Static, Static-Random, Random-Random, and Random-Static.
In Static mode the administrator can choose to have all enterprise devices maintain default port assignments and banners or can define static reasignment of ports and static replacement banners. In Static-Random mode RAPP maintains the default port numbers by exchanges the port banners with random service banners to obfuscate which services are part of the respective sockets. In Random-Random the Ports are randomized using port redirection within the operating system and using banner randomization. In Random-Static the ports are randomized but the banners maintain their true nature.
Two additional settings that an administrator can configure are “Change Rate” and “Banner Authenticity”. The “Change Rate” defines the frequency at which the configurations are updated in any of the Random configuration modes. “Banner Authenticity” permits the administrator to decide if replacement banners should only use banners that are commonly used in the wild or include banners that are more exotic.
When services and application with to transmit data they follow their predefined flow until port forwarding redirects the traffic to the correct recipient port. RAPP, like SAPP, would have a management port for all workstations that would permit manual or forced updates.
Benefits & Drawbacks of RAPP
The drawbacks of RAPP include the inability of any devices on the network to open communications with any RAPP devices. RAPP may also cause loss of network connection for any devices that missed a RAPP update until the next update is received or an administrator “pushed” an update. Additionally, any “banner authenticity” settings that used exotic ports may be an indicator of RAPP to skilled attackers.
The benefits include adding deception at the port and service level that can be leveraged to identify and/or stop automated and manual network based reconnaissance and attacks. RAPP would exponentially increase the complexity of network reconnaissance and make attackers work much harder to validate what services, protocols, and operating systems were present on any network while requiring attackers to regularly update their port mappings.
Conclusions
APP may be a mix between security through obscurity and deception but arguments could be made that it is entirely one or the other. But just think for a moment, how well engrained is human knowledge of port assignments, protocol banners, and operating system indicators? Isn’t about time someone dumped these known truths on their head and made attackers work for their bread?
Anonymous Port Protocol is a conceptual protocol but the premise stands. If we do what we have always done we will always get what we have always had, infiltrations that are increasingly pervasive. I submit to you, reader, is our reliance on the known really worth being so vulnerable? APP, just one idea of how we can move the security industry an inch forward.