British Government Scanning All UK-Hosted Server Systems

software - cybersecurity

The UK National Cyber Security Centre (NCSC) will be checking for vulnerabilities on all Internet-exposed devices including server systems hosted in the United Kingdom. The UK organization seeks to safeguard these web-facing devices while enhancing the UK’s overall cybersecurity posture by informing the owners of any vulnerabilities being found.

Any UK-hosted Internet-accessible system as well as vulnerabilities that are prevalent or important owing to their substantial effect are covered by these operations. The NCSC utilizes the data it gathers to provide an overview of the UK’s vulnerability exposure following disclosure and to monitor the repair of those vulnerabilities over time.

These Internet device scanning activities are intended to help the UK Government to:

  • Gain a better understanding of the UK’s security and vulnerabilities
  • Assist system owners in daily security posture understanding
  • Adapt to shocks (like a widely exploited zero-day vulnerability) 

How Does This Scanning Across the UK Work?

Identifying the existence of particular associated protocols or services is the first step in determining whether a vulnerability is present on a system. The NCSC will accomplish this by communicating with the system in a manner similar to that of a web browser or other network client, then analyzing the answer they obtain.

The NCSC anticipates being able to keep a current picture of vulnerabilities throughout the whole UK by repeatedly making these queries.

Any information that a service returns in response to a request is gathered and stored by UK’s NCSC. This provides the whole HTTP response (including headers) to a legitimate HTTP request for web servers. It comprises information supplied by the server right away upon the establishment of a connection or the conclusion of a proper protocol handshake for other services. For each request and answer, they will additionally note additional pertinent data, such as the time and date of the request and the IP addresses of the source and destination endpoints.

The UK NCSC will craft its requests to gather the least amount of technical data necessary to confirm the availability, version, and/or vulnerability of a particular piece of software. Additionally, they will create requests that restrict how much personal information may be included in the response. The NCSC asserts that they take efforts to erase the data and stop it from being taken again in the unlikely occasion that they do find information that is sensitive or personal in any other way.

Attributing NCSC Activity on Servers

Using common, open-source network technologies operating in a specialized cloud-hosted environment, all work by UK’s NCSC agency is done on a timetable. There are two IP addresses used for all connections:


Server system owners and operators may send a list of the IP addresses they want to exclude from future scans to [email protected]. The NCSC will then try to have them removed as soon as they can after these IP addresses have been verified. Check here for the full details.