[WEBINAR] The New Normal: Dealing with the Reality of an Unsecure World

Port Knocking

Definition - What does Port Knocking mean?

Port knocking is an authentication technique used by network administrators. It consists of a specified sequence of closed port connection attempts to specific IP addresses called a knock sequence. The techniques uses a daemon that monitors a firewall's log files looking for the correct connection request sequence. Additionally, it generally determines if the entity seeking port entrance is on the approved list of IP addresses.

Techopedia explains Port Knocking

Port knocking, even using a simple sequence such as "2000, 3000, 4000" would require a huge number of brute force attempts by an external attacker. Without any prior knowledge of the sequence, the attacker would have to try every combination of the three ports from 1 to 65,535 and after each attempt a check would have to be made to see if any ports opened. As well, the correct three digits would have to be received in order, with no other data packets received in between. Such a brute force attempt would require approximately 9.2 quintillion data packets just to successfully open a simple, single three-port knock. Moreover, the attempt is made even more difficult when cryptographic hashes (a method of producing one-time keys), or longer and more complex sequences, are used as part of the port knocking.

In fact, if several legitimate attempts from different IP addresses were opening and closing ports, simultaneous malicious attackers would be thwarted. And if a brute force attempt were successful, port security mechanisms and service authentication would also need to be negotiated. Additionally, any attackers cannot detect that a daemon is at work (i.e. the port appears closed) until they successfully open a port.

There are a few disadvantages. Port knocking systems are very dependent upon the daemon working correctly and if it does not work, no connection can be made with the ports. Thus, the daemon creates a single point of failure. An attacker may also be able to lock out any known IP addresses by sending data packets with fake (i.e. spoofed) IP addresses to random ports and IP addresses cannot be easily changed. (This can be addressed with cryptographic hashes.) Finally, there is the possibility of legitimate requests to open a port may include TCP/IP route packets out of order; or some packets may be dropped. This requires the sender to resend the packets.

Techopedia Deals

Connect with us

Techopedia on Linkedin
Techopedia on Linkedin
"Techopedia" on Twitter

Sign up for Techopedia's Free Newsletter!

Email Newsletter

Join thousands of others with our weekly newsletter

Free Whitepaper: The Path to Hybrid Cloud
Free Whitepaper: The Path to Hybrid Cloud:
The Path to Hybrid Cloud: Intelligent Bursting To Amazon Web Services & Microsoft Azure
Free E-Book: Public Cloud Guide
Free E-Book: Public Cloud Guide:
This white paper is for leaders of Operations, Engineering, or Infrastructure teams who are creating or executing an IT roadmap.
Free Tool: Virtual Health Monitor
Free Tool: Virtual Health Monitor:
Virtual Health Monitor is a free virtualization monitoring and reporting tool for VMware, Hyper-V, RHEV, and XenServer environments.
Free 30 Day Trial – Turbonomic
Free 30 Day Trial – Turbonomic:
Turbonomic delivers an autonomic platform where virtual and cloud environments self-manage in real-time to assure application performance.