ALERT

[WEBINAR] The Future of Data and Analytics

Port Knocking

Definition - What does Port Knocking mean?

Port knocking is an authentication technique used by network administrators. It consists of a specified sequence of closed port connection attempts to specific IP addresses called a knock sequence. The techniques uses a daemon that monitors a firewall's log files looking for the correct connection request sequence. Additionally, it generally determines if the entity seeking port entrance is on the approved list of IP addresses.

Techopedia explains Port Knocking

Port knocking, even using a simple sequence such as "2000, 3000, 4000" would require a huge number of brute force attempts by an external attacker. Without any prior knowledge of the sequence, the attacker would have to try every combination of the three ports from 1 to 65,535 and after each attempt a check would have to be made to see if any ports opened. As well, the correct three digits would have to be received in order, with no other data packets received in between. Such a brute force attempt would require approximately 9.2 quintillion data packets just to successfully open a simple, single three-port knock. Moreover, the attempt is made even more difficult when cryptographic hashes (a method of producing one-time keys), or longer and more complex sequences, are used as part of the port knocking.

In fact, if several legitimate attempts from different IP addresses were opening and closing ports, simultaneous malicious attackers would be thwarted. And if a brute force attempt were successful, port security mechanisms and service authentication would also need to be negotiated. Additionally, any attackers cannot detect that a daemon is at work (i.e. the port appears closed) until they successfully open a port.

There are a few disadvantages. Port knocking systems are very dependent upon the daemon working correctly and if it does not work, no connection can be made with the ports. Thus, the daemon creates a single point of failure. An attacker may also be able to lock out any known IP addresses by sending data packets with fake (i.e. spoofed) IP addresses to random ports and IP addresses cannot be easily changed. (This can be addressed with cryptographic hashes.) Finally, there is the possibility of legitimate requests to open a port may include TCP/IP route packets out of order; or some packets may be dropped. This requires the sender to resend the packets.

Share this: