GCHQ Is Mapping Open TCP Ports Across Whole Countries

German journalists and academics have criticised Britain’s intelligence service GCHQ for scanning servers round the world, and maintaining a database of open ports which could be used in attacks.

British intelligence agency GCHQ has been cataloguing open TCP ports across entire countries as part of a secret programme codenamed ‘Hacienda’, reports German publication Heise Online.

The database resulting from the scans is used in other GCHQ surveillance projects and shared with the rest of the Five Eyes – the US, Canada, Australia and New Zealand – using the secure MAILORDER transport protocol.

An open port can enable the attackers to identify services that are running on a server with the view to compromise it. According to Heise, Hacienda targeted 32 countries since 2009, and has completely mapped ports of at least 27.

The authors of the article propose an evasion method dubbed ‘TCP Stealth’ which helps evade detection by Hacienda and similar port scanning tools, although it is only suitable for smaller Internet communities.

Keeping an eye out

A network port is a number that identifies one side of a connection between two computers. It is associated with an IP address on the host, as well as the type of protocol used for communication. Depending on the software and services running on the host, some ports will be left open, so computers can communicate with each other and rout data packets to the specific process.

You can imagine an IP address as a house address, and port number as a flat number – while the address has to be unique, the same flat numbers are used in every building.

Traditionally, a hacker would start an attack by finding an open port to identify a service, and then exploit a known vulnerability of that service. So it is indeed worrying that GCHQ, an organisation which has been repeatedly accused of conducting mass surveillance operations, is interested in maintaining such a database.

The agency is also believed to be interested in undocumented ‘zero-day’ vulnerabilities, which could be used in combination with the open port database to stealthily compromise a large number of machines.

Heise has published 26 slides from GCHQ, the US National Security Agency (NSA) and Communications Security Establishment of Canada (CSEC), most of them carrying the ‘Top Secret’ label. According to these slides, Hacienda randomly scans every IP identified in a target country, recording ports for widely used protocols like HTTP and FTP, as well as SSH and SNMP which enable remote access and network administration.

In addition to simple port scans, GCHQ also downloads the so-called banners – text sent by some applications when connecting to an associated port; this often includes system and application version information, useful when looking for vulnerable services.

One of the things Hacienda is used for is automatic acquisition of Operational Relay Boxes or ORBs – third-party machines, possibly belonging to unsuspecting citizens, which are used to hide the location of the attackers when members of the Five Eyes carry out offensive operations.

TCP Stealth

In the conclusion of the article, Heise suggests a technique that can protect against Hacienda and similar tools. Known as ‘port knocking’, it minimises a server’s visible footprint by introducing a ‘knock’ packet. Unless this specific packet has been received, the port will not show up as available.

Heise proposes a modified version of port knocking known as TCP Stealth, developed at the Technische Universität München with a nation-state adversary in mind. It embeds the authorization token in the TCP initial sequence number, and enables applications to add payload protections.

The authors say that the technique, at the moment only suitable for Linux, is useful for any service with a user group that is so small that it is practical to share a passphrase with all members.

What do you know about Edward Snowden and the NSA? Take our quiz!