Knock, Knock...Who's there? Port Knock!

In our society, it often takes tragedy, to bring about change; unfortunate, but true. I am no exception. Over the weekend, I may have accidently left a few ports open. With 65,535 of them, it's hard to remember if they're all closed and stealthed, or if 1241 is still open from my Nessus session, if my Slingbox is still slinging shows over 5001, or if one of those ports in the 27000 range was left open by my alter-ego, half-life addict.

Lucky for me, someone kindly let me know that some ports were left open, through the generous installation of free software (trojans, key loggers, and other malware goodies) on my server and several PCs. After some digital house cleaning, I decided to sprinkle a new layer of security on my network....port knocking.

This security approach was never fully embraced by the network community. I think this was partially due to the misunderstanding of its true purpose. It was never meant to act as a standalone method of security; just a thin lining in your multilayered approach.

Port knocking (PK) is a firewall based method of user authentication. Using a generic client-server model, it is platform independent. A client is able to externally open a port by generating a specific sequence of connection attempts on closed ports. This is analogous to the antiquated practice of using predefined rhythmic knocking on a door, as a sort of pass code, to gain entrance.

Let's forget about the server daemon, client software, dynamic firewall rules, sequencing mechanisms and encryption use, and just look at the basic process. Imagine a server with no open ports, and no vulnerable or critical services running. A client PC wants to create a remote connection to the server, but the service port is closed and the service isn't even running. The client PC sends connection attempts to a series of ports, in a particular order, with specific time intervals. If the sequence of "knocks" correctly matches a predetermined authorization set, then the service port is opened and the service is started.

This mechanism provides several benefits. It is a transparent means of controlled access, by restricting service usage to clients producing the correct "knock" sequence. Common port scanning won't reveal open ports, with corresponding services to attack. Furthermore, to prevent hackers from obtaining the knock sequence, through packet capture and analysis, it can be frequently changed with pseudo random generators and employing encryption.

Another benefit of PK is its ease of implementation. The protected services require no modification and, with legitimate use, there is no degradation of performance. Additional functionality consists of setting specific packet sequences, for both opening and closing ports, and remotely performing administrative tasks. No information is readily provided to the hordes of port scanning hackers, which would indicate the presence of the PK security layer running on a system. Even if discovered, attempts at brute forcing the knock sequence would generate traffic in quantities easily detected by an IDS, and possibly appearing as a DoS attack. Implementing a PK system can be achieved in many ways.....a good list of available options can be found here.

PK critics have analyzed various implementations (without encryption), and are quick to point out their potential flaws. Preventing replay attacks could be a problem if the system was susceptible to packet sniffing and eavesdropping. Furthermore, client IP spoofing, overloading computational resources, packet synchronization errors, and the development and use of single packet authorization (SPA) techniques, have overshadowed its use in recent years.

While, "security through obscurity" is an unacceptable form of security, (although still used way too much), sometimes it's beneficial, when part of a multilayered approach. The hacker community has offensively embraced PK systems for creating "invisible" back doors. Trojans are planted in servers, which monitor traffic for the correct opening knock sequence, as configured by the hacker. When detected, the back door is opened (usually an ephemeral port), and the hacker has access to the server. To all the PK skeptics reading this blog, I can assure you that this is an effective and commonly used method.

No matter what strategy is used for your network protection, it should consist of a layered security architecture. Instead of analyzing methods individually, it is more important to understand the role they play and their effectiveness in your overall security solution.

Part of my personal strategy, is to occasionally employ an older, or less common security method as one of the layers of my defense. Usually, the latest hacker applications and tools, are geared towards defeating the latest security measures, occasionally overlooking the simple, the obscure and the unsuspecting. Descriptive characteristics that usually apply to me.

My ports are always open. Knock me at: greyhat@computer.org

Join the discussion
Be the first to comment on this article. Our Commenting Policies