Reverse connection
Encyclopedia
A reverse connection is usually used to bypass firewall
restrictions on open port
s. A firewall usually blocks open ports,
but does not block outgoing traffic
. In a normal forward connection, a client
connects to a server
through the server's open port
,
but in the case of a reverse connection, the client opens the port that the server connects to.
The most common way a reverse connection is used is to bypass firewall
and Router security restrictions.
For example, a Trojan horse running on a computer behind a firewall that blocks incoming connections can easily open an outbound connection to a remote host on the Internet. Once the connection is established, the remote host can send commands to the Trojan horse.
Trojan horses (Remote Administration Tool
s) that use a reverse connection usually send SYN (TCP) packets to the attacker's IP address
.
The attacker listens for these SYN packets and accepts the desired connections.
If a computer is sending SYN packets or is connected to an attacker's PC, the connections can be discovered by using the netstat command or a common port listener like “Active Ports”.
If the Internet connection is closed down and an application still tries to connect to remote hosts it may be infected with malware.
Keyloggers and other malicious programs are harder to detect once installed, because they connect only once per session. Note that SYN packets by themselves are not necessarily a cause for alarm, as they are a standard part of all TCP connections.
There are legitimate uses for using reverse connections, for example to allow hosts behind a NAT firewall to be administered remotely. These hosts do not normally have public IP addresses, and so must either have ports forwarded at the firewall, or open reverse connections to a central administration server.
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
restrictions on open port
Open port
In security parlance, the term open port is used to mean a TCP/IP port number that is configured to accept packets. In contrast, a port which ignores all packets directed at it is commonly referred to as a "closed port"....
s. A firewall usually blocks open ports,
but does not block outgoing traffic
Internet traffic
-Historical Internet Traffic Growth:Because of the distributed nature of the Internet, there is no single point of measurement for total Internet traffic...
. In a normal forward connection, a client
Client (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
connects to a server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
through the server's open port
Open port
In security parlance, the term open port is used to mean a TCP/IP port number that is configured to accept packets. In contrast, a port which ignores all packets directed at it is commonly referred to as a "closed port"....
,
but in the case of a reverse connection, the client opens the port that the server connects to.
The most common way a reverse connection is used is to bypass firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
and Router security restrictions.
For example, a Trojan horse running on a computer behind a firewall that blocks incoming connections can easily open an outbound connection to a remote host on the Internet. Once the connection is established, the remote host can send commands to the Trojan horse.
Trojan horses (Remote Administration Tool
Remote administration tool
A Remote Administration Tool is a piece of software that allows a remote "operator" to control a system as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, "RAT" software is usually associated with criminal or malicious activity...
s) that use a reverse connection usually send SYN (TCP) packets to the attacker's IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
.
The attacker listens for these SYN packets and accepts the desired connections.
If a computer is sending SYN packets or is connected to an attacker's PC, the connections can be discovered by using the netstat command or a common port listener like “Active Ports”.
If the Internet connection is closed down and an application still tries to connect to remote hosts it may be infected with malware.
Keyloggers and other malicious programs are harder to detect once installed, because they connect only once per session. Note that SYN packets by themselves are not necessarily a cause for alarm, as they are a standard part of all TCP connections.
There are legitimate uses for using reverse connections, for example to allow hosts behind a NAT firewall to be administered remotely. These hosts do not normally have public IP addresses, and so must either have ports forwarded at the firewall, or open reverse connections to a central administration server.