Port knocking

The port-knocking is a method making it possible to modify the behavior of a firewall in real-time by causing the opening of ports allowing the communication, thanks to the preliminary launching of a succession of connections on distinct ports in the good order, following the example code struck with a door.

This technique is in particular used to protect the access to the port 22 dedicated to the Secure Shell (HS), it does not require many resources and remains easy to implement. While this technique is not yet largely adopted by the data-processing community, it was already integrated in certain Rootkit S recent.

Theoretical operation

A process is carried out in background (Demon) and scans the newspaper of connections of the fire wall, or an analysis of packages passing by a already open port, makes it possible to detect a particular sequence. The waiter keeps a list of the ports on which were tried connections according to address IP of the transmitter. To each attempt at connection, the port is added to the list of the ports for this address IP. If the list contains a recognized sequence, the rules of the fire wall will be modified to open a port defined in advance, and other orders can be carried out in this manner. The complexity of the sequence can vary simple list (for example: TCP port 1000, TCP port 2000, UDP port 3000) with a checking of the duration and statistical data.

The only indication of failure is not to have a port lately opened at the end of the sequence. To any moment of information are sent to the launcher of sequence; the system remains dumb.

When a port was opened by the correct sequence, the rules of the fire wall do not authorize that address IP having launched the sequence to be communicated on the open port. The port can again be closed after a time envisaged or according to the request.

Recognized advantages

A simple sequence of three attempts at connection (for example: port 1000,2000,3000) require of an attacker not knowing the sequence to use the method rough force to be discovered. It will be necessary for him to test each combination with 65535 ports with scanner, and to check with each scan if a port opened; that gives roughly: 18445618199572250625 packages of data possible to send, is 65535⁴ packages (65535 ³ for the sequence of three ports, multiplied by 65535 attempts each time to discover a possible port).

But all that is not valid any more if a Sniffer is employed; an effective listening of the sequences then makes possible the access without authorization. This is why a sequence differently more complex would make the task more difficult.

A sedentary asset

The technique of the port-knocking gets an additional sedentary asset, but does not replace the other security measures. Although not bringing a weakness in the security chain, the use of an additional software induced possible a new security issue.

See too

• Operation with explanatory diagrams

Random links:

Cross from Africa of Rugby to XV | Harold Adamson | Randy Brooks | Plunger DIR | O (Armenian) | Mary_Fickett

© 2007-2008 speedlook.com; article text available under the terms of GFDL, from fr.wikipedia.org