Not the law, but a good idea.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > faq > general


Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

What is port knocking?

Port knocking is a method by which a remote computer (client) communicates with another computer (server) across closed ports. Information is encoded in the sequence of ports to which the client attempts to connect. The information flows in one direction, from the client to the server. The server does not send any response to the client as receipt of the information. Once encoded into a sequence of port numbers, any information can be sent across closed ports.

What is the advantage of port knocking?

In the current TCP/IP paradigm, a server may offer a number of network services (e.g. SSH, POP, IMAP). Services listen to connections on specific ports (e.g. 22, 110, 143). These ports are open and any client may attempt to gain access to the services. To control access at the time of connection, a packet-filtering firewall is used to restrict client connections by their IP address. Although the firewall rules may be accurately configured to allow only trusted IP ranges to connect to services, an untrusted user using a trusted IP address may gain access.

Port knocking obviates the need to assume that only trusted users can connect from trusted IPs. Access control in PK is achieved by using the firewall to detect secret knocks which are individualized to users, not to remote IP addresses. Furthermore, the server using PK initially presents no open ports to any IP address, and ports are opened only to those IP addresses from which a correct knock is received. The IP address for which access is granted may also be incorporated in an encrypted knock, allowing a third-party (knockproxy) to perform the knock. Since the server has no open ports, it is invulnerable to standard application exploits. Furthermore, port scans targeting the server reveal no information about the nature of the services protected by PK, nor the fact that PK is being used.

Can port knocking be used for good?


Can port knocking be used for evil?

Yes and yes.

How is information sent across closed ports?

Suppose you wanted to send a single integer, k, from 0-255 across a closed port from a client to a server. To achieve this, the server would close all ports from N - N+255 (e.g. 500-755) and monitor any connection attempts to these ports. The client, in turn, would send a SYN packet to closed port N+k on the server. This is a single port knock. The server will detect the incoming packet, and report the connection event to a firewall log file. The port N+k can then be parsed from the log file and the integer k can be recovered.

What is all this fuss about closed ports?

A port can exist in three different states. For TCP communication an open port accepts packets and the client is sent an acknowledgement of receipt. The incoming packet is then made available to applications on the server. A closed port can be either set to REJECT or DENY communication. In either case, packets received by a closed port are not made available to applications running on the server. When a port is configured to REJECT, the server returns an ICMP error packet which instructs the client that the port is configured to reject connections. A closed port set to DENY connections results in no such response.

A client can detect that a port is open and knows that the packet is being received by an application. A client can detect that a port is closed if it sees a returned ICMP error packet. Importantly, a client cannot distinguish between the absence of a server and the state in which the server has all its ports set to DENY. Therefore, by closing ports and DENYing connections, a networked machine is rendered invisible. With port knocking, information can continue to be sent to such a machine.

How does the client know whether the information has been received?

It doesnít. One of the central premises of port knocking is that the client is unable to determine whether the information is has been received. This is by design, so that the presence of the port knocking server cannot be deduced. The serverís firewall is configured to avoid sending any acknowledgement (e.g. DENY instead of REJECT) to the client as receipt of the port knock.

What is a port knock?

A port knock is an ordered list of ports to which the client attempts connection.

How many ports are in a knock?

The number of ports in a knock sequence depends on how much information is to be sent. For example, if only a single number is to be transmitted, then the knock may be three ports. The first port would act as a header, indicating that the knock has started. The second port would be the payload packet that would encode the number. The third and last packet would act as the footer of the knock, indicating that the knock sequence is over. The header and footer subsequences can be of arbitrary and different length.

What port numbers are in a knock?

The port numbers in a knock are also arbitrary. They should be ports that are normally not used by other services, although this isnít a critical point. The server allocates some number of closed ports (e.g. 256) to participate in the knock mechanism. These ports can be in a contiguous range (e.g. 500-755) or in two or more port groups (e.g. 500-600,700-854, or 500-600,700-800,900-950,960,970). The choice of ports needs to be known to the client.

The number of ports allocated by the knock will determine the length of the knock. If the server allocates only two ports (e.g. 500,501) then more ports will be required to encode a given amount of information than if the server allocated 256 ports.

How is information encoded in the knock?

The encoding of the information depends on the number of ports allocated by the server. The number of ports specifies the largest integer value which can be transmitted by a single connection attempt. If the server allocates 2 ports, then the information will need to be encoded into binary format. If the server allocates 255 ports, then the information will need to be encoded into bytes.

If the information can be initially represented as integers in the range of 0-255, or can be directly mapped to this range, and if the ith value to transmit is k, then the ith port will be be N+k where N is the smallest allocated port. If the information cannot be directly expressed as integers in a range smaller than afforded by the allocated ports, a byte-encoding will suffice.

How can discrete information be encoded?

If the client and server can agree on the encoding, discrete information (e.g. enumerated values) can be mapped onto port numbers. For example, if I wanted to tell the server "banana, banana, apple" and we agreed that banana was port 500 and apple was port 501 then the knock would be 500,500,501. I would not need to byte-encode banana and apple. Obviously this type of information mapping works only when the number of unique information tokens is reasonably small.

Can the port knock be encrypted?

It can and it should be encrypted. Before the information is encoded, it should be encrypted using a cryptographically strong algorithm like RSA or Blowfish. The encrypted information can then be byte-encoded into a port knock. Depending on the way the encryption is done, this may increase the length of the knock.

Can you give an example of how encoding and encrypting is done?

Suppose you wanted to send 10 numbers (k1,k2,...,k10) using port knocking using an encrypted knock. Furthermore, suppose that the server allocated ports 500-755 to participate in the knock. First the numbers would be encrypted, then byte-encoded, The byte encoding is next mapped onto the serverís ports sequence to yield the actual knock sequence. The server, upon its receipt, would reverse the steps to recover the original numbers. More details can be found in the details/application section.

last updated 2005-Feb-24 13:33
Port Knocking (c) 2002-2019 Martin Krzywinski