In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization exists, where only a single “knock” is needed, consisting of an encrypted packet.
The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.
Port knocking is a flexible, customizable system add-in. If the administrator chooses to link a knock sequence to an activity such as running a shell script, other changes such as implementing additional firewall rules to open ports for specific IP addresses can easily be incorporated into the script. Simultaneous sessions are easily accommodated.
In addition to mitigating brute force password attacks and the inevitable growth in logs associated with the process daemon, port knocking also protects against protocol vulnerability exploits. If an exploit was discovered that could compromise a daemon in its default configuration, using port knocking on the listening port reduces the possibility of compromise until the software or process is updated. Authorized users would continue to be served once they provide the correct knock sequence while random access attempts would be ignored.
- firewall-based method for user authentication
- establish connections to hosts with no open ports through subversive use of closed ports
- seal off your network hosts and prevent remote profiling
- impossible to determine whether port knocking is implemented
- detection by sniffers both difficult and loud
- encrypted sequences for increased security
- one time encryption pads provide maximum possible protection
- benefits from access control provided by firewall and IDS systems
Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a three-knock TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker to test every three port combination in the 1–65535 range and then scan each port between attacks to uncover any changes in port access on the target system. Since port knocking is by definition stateful, the requested port would not open until the correct three-port number sequence had been received in the correct order and without receiving any other intervening packets from the source. The average case scenario requires approximately 141 trillion (655353 / 2) packets to determine a correct three-port number. This technique, in combination with knock attempt-limiting, longer or more complex sequences and cryptographic hashes, makes successful port access attempts extremely difficult.
Port knocking is totally dependent on the robustness of the port knocking daemon. The failure of the daemon will deny port access to all users and from a usability and security perspective, this is an undesirable single point of failure. Modern port knocking implementations mitigate this issue by providing a process monitoring daemon that will restart a failed or stalled port knocking daemon process.
Systems that do not use cryptographic hashes are vulnerable to IP address spoofing attacks. These attacks, a form of Denial of service, use port knocking functionality to lock out known IP addresses (e.g. administrator management stations) by sending packets with the spoofed IP address to random ports. Servers using static addressing are especially vulnerable to these types of denials of service as their addresses are well known.
Treating each knock sequence as a one-time password defeat the aim of simplified administration. In practice, port knocking must be combined with other forms of authentication that are not vulnerable to replay or man-in-the-middle attacks for the whole system to be effective.
Source: Wikipedia, portknocking.org