Cisco CloudCenter: Get the Hybrid IT Advantage

Port Knocking

Definition - What does Port Knocking mean?

Port knocking is an authentication technique used by network administrators. It consists of a specified sequence of closed port connection attempts to specific IP addresses called a knock sequence. The techniques uses a daemon that monitors a firewall's log files looking for the correct connection request sequence. Additionally, it generally determines if the entity seeking port entrance is on the approved list of IP addresses.

Techopedia explains Port Knocking

Port knocking, even using a simple sequence such as "2000, 3000, 4000" would require a huge number of brute force attempts by an external attacker. Without any prior knowledge of the sequence, the attacker would have to try every combination of the three ports from 1 to 65,535 and after each attempt a check would have to be made to see if any ports opened. As well, the correct three digits would have to be received in order, with no other data packets received in between. Such a brute force attempt would require approximately 9.2 quintillion data packets just to successfully open a simple, single three-port knock. Moreover, the attempt is made even more difficult when cryptographic hashes (a method of producing one-time keys), or longer and more complex sequences, are used as part of the port knocking.

In fact, if several legitimate attempts from different IP addresses were opening and closing ports, simultaneous malicious attackers would be thwarted. And if a brute force attempt were successful, port security mechanisms and service authentication would also need to be negotiated. Additionally, any attackers cannot detect that a daemon is at work (i.e. the port appears closed) until they successfully open a port.

There are a few disadvantages. Port knocking systems are very dependent upon the daemon working correctly and if it does not work, no connection can be made with the ports. Thus, the daemon creates a single point of failure. An attacker may also be able to lock out any known IP addresses by sending data packets with fake (i.e. spoofed) IP addresses to random ports and IP addresses cannot be easily changed. (This can be addressed with cryptographic hashes.) Finally, there is the possibility of legitimate requests to open a port may include TCP/IP route packets out of order; or some packets may be dropped. This requires the sender to resend the packets.

Share this:

Connect with us

Email Newsletter

Join thousands of others with our weekly newsletter

The 4th Era of IT Infrastructure: Superconverged Systems
The 4th Era of IT Infrastructure: Superconverged Systems:
Learn the benefits and limitations of the 3 generations of IT infrastructure – siloed, converged and hyperconverged – and discover how the 4th...
Approaches and Benefits of Network Virtualization
Approaches and Benefits of Network Virtualization:
Businesses today aspire to achieve a software-defined datacenter (SDDC) to enhance business agility and reduce operational complexity. However, the...
Free E-Book: Public Cloud Guide
Free E-Book: Public Cloud Guide:
This white paper is for leaders of Operations, Engineering, or Infrastructure teams who are creating or executing an IT roadmap.
Free Tool: Virtual Health Monitor
Free Tool: Virtual Health Monitor:
Virtual Health Monitor is a free virtualization monitoring and reporting tool for VMware, Hyper-V, RHEV, and XenServer environments.
Free 30 Day Trial – Turbonomic
Free 30 Day Trial – Turbonomic:
Turbonomic delivers an autonomic platform where virtual and cloud environments self-manage in real-time to assure application performance.