Silent, multi-layer security for your organization.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > faq > comments

FAQ

Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

It is a common misconception that an attacker can't tell a system which doesn't send reject packets from a system which is disconnected/off.

It is a common misconception that an attacker can't tell a system which doesn't send reject packets from a system which is disconnected/off. This is not true. The difference lies in the reply from the next hop router. An existing system will not cause a response from the router, but you will get a "Destination unreachable" ICMP packet from said router if the target system is offline. This is because the router times out the target system's ARP entry and then, when the router needs to reach it, can't find the target if it is actually offline. A connected system cannot not answer arp requests (or it doesn't get its packets), so the router always knows where to send the packets and doesn't return "destination unreachable". (Slashdot)

I have heard the argument that DENY gives away the presence of a firewall and REJECT does not.

These examples prove this argument to be nonsense.

All services should be this way.

But with a password for example, you know where the services is listening and therefore can attempt to exploit problems with the service that can be exploited without a password. This is like putting the password before the protocol is even accessed.

All services should be this way. Passwords entered after the service has been accessed in some way always gives a chance for exploitation. This only gives the opportunity to attempt to exploit the OS's basic network functionality. (Slashdot)

We jeopardized the security regularly when we said "wrong knock" after someone else knocked.

That is a very old method I developed with my friends. We would only open the door after a "secret" knock sequence. We had seen this on TV and thought this would be cool. We jeopardized the security regularly when we said "wrong knock" after someone else knocked. Usually parents. Then they would say "open up". And we had to comply. (Slashdot)

The main difference involves knowing whether or not a way in exists.

As an analogy, if you want to get into a house, and find a locked door, you have a few options... You can try one of those M x N position key blanks, which will take a very very long time (exhaustive search). You can try to pick it (exploit a weakness in the password algorithm). You can try to get a hold of a copy of the real key (packet sniffing, "shoulder surfing", etc). But you have no doubt that somewhere, a key exists that will open that door.

Now compare that to a solid block of concrete, roughly the size of a house. What does it do? Do helicopters land on it? Does it cover something, or hold something down? Does it have something sealed inside it? You'd never suspect that that, if you utter the magic phrase "Sim sala bim bamba sala do saladim", a door will appear in the side of this large concrete block, allowing those with a key to gain entrance.

The main difference involves knowing whether or not a way in exists. With just a passworded port, an attacker knows that enough effort will pay off. Adding in port knocking, that attacker doesn't know whether or not their hard work can ever gain them entrance, since a port might well not exist. (Slashdot)

last updated 2004-Feb-13 18:48
Port Knocking (c) 2002-2017 Martin Krzywinski