Resources

Press

• Amir R. Khakpour, and Hakima Chaouchi, ESSTCP: Enhanced Spread-Spectrum TCP in Proc. of the 3rd International Workshop on Security in Systems and Networks (SSN'07) in conjunction with IPDPS 2007, Long Beach, CA, March, 2007.

  "Having stealth and lightweight authentication methods is empowering network administrators to shelter critical services from adversaries. Spread-Spectrum TCP (SSTCP) [1] is one of these methods by which the client sends an authentic sequence of SYN packets to the server for authentication. Since SSTCP have some certain drawbacks and security flaws, we propose an enhanced version of SSTCP (ESSTCP) which modifies the original algorithm to reduce the computational cost and cover its vulnerabilities from denial of service and replay attacks. Some performance problems like time synchronization are also resolved. We finally try to extend the functionality of this method for different applications and numbers of users by which ESSTCP can be performed as a secure Remote Procedure Call (RPC)."

• Jeanquier S (2006) An Analysis of Port Knocking and Single Packet Authorization. M.Sc. Thesis (Royal Holloway, University of London).

  The purpose of this thesis was to analyze the different security benefits and limitations of firewall authentication schemes such as Port Knocking and Single Packet Authorization. I also aimed to address the concept of Security through Obscurity and its relation to the concept of Port Knocking and SPA. [http://www.securethoughts.net/spa/]

• Krzywinski M (2005) Port Knocking From the Inside Out. hakin9 5.

  Appears in a number of languages, including Polish as "Dostep tylko dla wtajemniczonych" [Authorized access only]. Discusses the use of sendIP/tcpdump to implement bare-bones port knocking. Doorman is described in the article as well, along with installation and usage tips.

• Rash M (2004) Combining Port Knocking and Passive OS Fingerprinting with fwknop ;login: 29:19-25
• Graham-Cumming J (2004) Practical Port Knocking. Dr. Dobb's Journal 366:51-53.
• Kunz C (2004) Horch, wer kommt von drausen rein... [Listen, who is coming in from outside] c't 14:206-208.
• Krzywinski M (2003) Port Knocking: Network Authentication Across Closed Ports [txt]. SysAdmin Magazine 12:12-17.
• Barham P et al (2002) Techniques for Lightweight Concealment and Authentication in IP Networks. Intel Research Berkeley (IRB-TR-02-009)

  An early, strong academic paper that outlines essentially the same authentication mechanism as port knocking.

• Christan Borss (2001) Listserv post to Braunschweiger Linux User Group (lug-bs@lk.etc.tu-bs.de)

  Predating the Intel group paper, Christian's post to a German LUG.

Online

• Bradley T (2004) Good guys and bad guys are using this method to open ports. about.com

  Discusses the darker side of port knocking - a feature in malaware that provides hidden back doors on compromised systems. Symantec has identified port knocking as one of new emerging trends in bot networks.

• Doyle M Implementing a Port Knocking System in C, Department of Physics, University of Arkansas

  Matt's Honours Thesis describes his implementation of a port knocking client and server, written in C. Matt uses Blowfish to encrypt the knock.

• Hatch B Sniffing with Net::Pcap to stealthily managing iptables rules remotely, Hacking Linux Exposed
• Krivis S Port knocking: helpful or harmful? An exploration of modern network threats

  Discusses threats due to open ports and ways to control them: tighten, watch, learn and re-tighten.

• Krzywinski M (2003) Port knocking. Linux Journal.
• Kung L, Hou JC CS397 Network System Labs Project 5: Port Knocking, Department of Computer Science, University of Illinois at Urbana Champaign

  A 3rd year computer science project directed at implementing a port knocking netfilter module

• Maddock B (2004) Port Knocking: An overview of Concepts, Issues and Implementations. SANS Institute

  Maddock addresses in detail benefits and limitations of port knocking. He contrasts the feature sets in current implementations and presents his views on the future of the method. The article contains a large number of references to documents that discuss port knocking, as well as various implementations.

• Martin K (2004) Click on this, you muthas

  This article in The Register discusses the concept of backdoors. "Port knocking is a legitimate security concept that has been discussed on Slashdot recently, and some virus writers have started using it "secure" their own backdoors. Add port knocking capabilities to a backdoor and you get a port knocking backdoor. The power to control these things would be held in the hands of an elite few, instead of any miscreant with malformed intent, as it is today."

• Nakjang N (2003) A Practical Approach of Stealthy Remote Administration. linuxsecurity.com

  A discussion of SAdoor (implementations)

• Narayanan A (2004) A critique of port knocking, NewsForge.
• Nooning T (2004) Use port knocking for a more secure method of opening ports. TechRepublic.
• Tbonius Introduction to Port Knocking
• Tan CK Remote Server Management Using Dynamic Port Knocking and Forwarding
• Trowbridge C, (2003) An Overview of Remote Operating System Finger Printing, SANS Institute
• Whitehouse W, Yamamoto M (2004) Knock Knock, Sandstorm Enterprises
• Yarden J (2005) Use port knocking to bypass firewall rules and keep security intact

  "While they add an extra layer of network security, firewalls can often inhibit the proper administration of an organization's network. How can you get past firewall rules without compromising security? One method is port knocking. Find out how port knocking works, see why some people argue that this method isn't true security, and learn why port knocking sometimes presents its own security concerns." [exerpt]

• port knocking. webopedia
• port knocking. wikipedia
• Port Knocking - A new trend for firewall administrators. TLANews.com

Presentations

• Hou JC Port Knocking, Department of Computer Science, University of Illinois at Urbana Champaign

  An introduction to port knocking.

• Tan CK, Meng CT Remote Server Access using Dynamic Port Knocking and Forwarding

  Discusses SIG^2's implementation, which "does not rely on sending a pre-defined secret sequence of port knocks to daemon. Instead, each user has a shared password with the daemon. When user wants to connect to the server, client program will generate a random knock sequence and 'declare' them to the daemon."

• Krzywinski M Port Knocking, West Coast Security Forum, 2003

  My presentation on port knocking designed for a wide audience. Here I present the method as a personalized event trigger.

• Rash M Advanced Netfilter; Content Replacement (ala Snort_inline), and Port Knocking Based on Passive OS Fingerprinting, DEFCON 12
• Rathaus N Port knocking: Beyond security

  A good introductory presentation to port knocking.

• Scorpion Software Introduction to Cerberus: Port knocking with covert packets to secretly open your firewall

  Dana Epp's Cerberus (implementations) is presented. Cerberus (a) can bypass most IDS sensors as normal traffic, (b) uses typical ICMP traffic allowed by most firewalls, (c) doesn’t require special tools to craft packet sequences - can be done with ping, (d) implements one time password composed of (i) the current date and time up to the last minute (ii) system "server seed" (iii) an individual user passcode and (iv) the IP address to allow in (in dotted decimal format).

• Worth D COK: Cryptographic Port Knocking, Black Hat USA 2004

  David describes his covert implementation, COK (Cryptographic One-Time Knocking) of port knocking which achieves greater resistance against replay attacks by using one time passwords. One part of the implementation is unique - a client sending covert DNS knocks, in which a DNS query OTP.domain.tld incorporates the one time password (OTP) and is processed by the knock daemon. David also discusses knocking using out-of-bound protocols.