Keep your ports open - for yourself.
Port knocking: a stealthy system for network authentication across closed ports
Port Knocking has not been seen on TV
port knocking > resources > pkarticles


Perl prototype: v0.30

  • pcaplib support added; daemon no longer requires firewall log file

2004-Nov-14 18:59 | ...more

new Net::Pcap support added to sniff packets directly ...more

Links to related and background articles, guides, standards, documents, sites and books.


  • Miklosovic S (2011) PA018 - Term Project - Port Knocking Enhancements, Faculty of Informatics, Marsaryk University
  • Amir R. Khakpour, and Hakima Chaouchi, ESSTCP: Enhanced Spread-Spectrum TCP in Proc. of the 3rd International Workshop on Security in Systems and Networks (SSN'07) in conjunction with IPDPS 2007, Long Beach, CA, March, 2007.

    "Having stealth and lightweight authentication methods is empowering network administrators to shelter critical services from adversaries. Spread-Spectrum TCP (SSTCP) [1] is one of these methods by which the client sends an authentic sequence of SYN packets to the server for authentication. Since SSTCP have some certain drawbacks and security flaws, we propose an enhanced version of SSTCP (ESSTCP) which modifies the original algorithm to reduce the computational cost and cover its vulnerabilities from denial of service and replay attacks. Some performance problems like time synchronization are also resolved. We finally try to extend the functionality of this method for different applications and numbers of users by which ESSTCP can be performed as a secure Remote Procedure Call (RPC)."

  • Jeanquier S (2006) An Analysis of Port Knocking and Single Packet Authorization. M.Sc. Thesis (Royal Holloway, University of London).

    The purpose of this thesis was to analyze the different security benefits and limitations of firewall authentication schemes such as Port Knocking and Single Packet Authorization. I also aimed to address the concept of Security through Obscurity and its relation to the concept of Port Knocking and SPA. []

  • Krzywinski M (2005) Port Knocking From the Inside Out. hakin9 5.

    Appears in a number of languages, including Polish as "Dostep tylko dla wtajemniczonych" [Authorized access only]. Discusses the use of sendIP/tcpdump to implement bare-bones port knocking. Doorman is described in the article as well, along with installation and usage tips.

  • Rash M (2004) Combining Port Knocking and Passive OS Fingerprinting with fwknop ;login: 29:19-25
  • Graham-Cumming J (2004) Practical Port Knocking. Dr. Dobb's Journal 366:51-53.
  • Kunz C (2004) Horch, wer kommt von drausen rein... [Listen, who is coming in from outside] c't 14:206-208.
  • Krzywinski M (2003) Port Knocking: Network Authentication Across Closed Ports [txt]. SysAdmin Magazine 12:12-17.
  • Barham P et al (2002) Techniques for Lightweight Concealment and Authentication in IP Networks. Intel Research Berkeley (IRB-TR-02-009)

    An early, strong academic paper that outlines essentially the same authentication mechanism as port knocking.

  • Christan Borss (2001) Listserv post to Braunschweiger Linux User Group (

    Predating the Intel group paper, Christian's post to a German LUG.



  • Hou JC Port Knocking, Department of Computer Science, University of Illinois at Urbana Champaign

    An introduction to port knocking.

  • Tan CK, Meng CT Remote Server Access using Dynamic Port Knocking and Forwarding

    Discusses SIG^2's implementation, which "does not rely on sending a pre-defined secret sequence of port knocks to daemon. Instead, each user has a shared password with the daemon. When user wants to connect to the server, client program will generate a random knock sequence and 'declare' them to the daemon."

  • Krzywinski M Port Knocking, West Coast Security Forum, 2003

    My presentation on port knocking designed for a wide audience. Here I present the method as a personalized event trigger.

  • Rash M Advanced Netfilter; Content Replacement (ala Snort_inline), and Port Knocking Based on Passive OS Fingerprinting, DEFCON 12
  • Rathaus N Port knocking: Beyond security

    A good introductory presentation to port knocking.

  • Scorpion Software Introduction to Cerberus: Port knocking with covert packets to secretly open your firewall

    Dana Epp's Cerberus (implementations) is presented. Cerberus (a) can bypass most IDS sensors as normal traffic, (b) uses typical ICMP traffic allowed by most firewalls, (c) doesn’t require special tools to craft packet sequences - can be done with ping, (d) implements one time password composed of (i) the current date and time up to the last minute (ii) system "server seed" (iii) an individual user passcode and (iv) the IP address to allow in (in dotted decimal format).

  • Worth D COK: Cryptographic Port Knocking, Black Hat USA 2004

    David describes his covert implementation, COK (Cryptographic One-Time Knocking) of port knocking which achieves greater resistance against replay attacks by using one time passwords. One part of the implementation is unique - a client sending covert DNS knocks, in which a DNS query OTP.domain.tld incorporates the one time password (OTP) and is processed by the knock daemon. David also discusses knocking using out-of-bound protocols.

last updated 2012-Jan-09 10:53
Port Knocking (c) 2002-2019 Martin Krzywinski