Helping you keep sensitive data accessible and protected.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > faq > applications


Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

How can PK be used?

There are many ways in which PK can be used. Since the method allows for transmitting information across closed ports, you can use PK to communicate with an isolated server. The server may be isolated for security reasons, to deny potential intruders access to your applications. As long as the client and server can decide on how information is encoded in the port sequence, the client can establish one-way communication to the server.

Can you give a specific example of how PK can be used?

One way to use PK is to use it as an access granting system. The client sends a knock which encodes a request that the server open a given port, or range of ports, to the client for a specified amount of time. For example, if the port knock encodes the client’s IP, the port(s) that should be opened, and the length of time for which the ports should maintain their open state, the client can effectively open ports on demand. In this use of PK, ports are opened specifically to the client’s IP.

How can this example be extended?

The client may extend the functionality of the knock, as long as the server knows how to interpret the extra information. Some additional information that can be added is

  • check sum to decrease effect of transmission errors
  • a flag that indicates whether further communication attempts are to be accepted from the client
  • a flag that specifies that communication from the client’s IP should be rejected for M minutes after the end of the granted session
  • a flag that specifies that the server reject concurrent connections from the client’s IP
  • a flag that instructs the server to start or shut down a service behind the port requested by the client

Why should the client’s IP included the knock sequence?

The port knock may be intercepted by a third party. The IP of the client should be included in the encrypted knock to reduce the danger posed by replay attacks. Since the IP of the client can be deduced from analyzing the packet header itself, ideally the port knock should be carried out by a computer with a different IP than encoded in the knock. This way, even if someone replays the knock, and assuming that the server is allowing additional communication from the client (see point above), and spoofs their IP, the cannot know the actual IP of the client. If the listening third party detects traffic from the client to the server and changes their spoofed IP, the knock server can still reject additional connections (see point above).

last updated 2005-Aug-03 13:40
Port Knocking (c) 2002-2019 Martin Krzywinski