Port Knocking 101 - The Basics

Nov 27 2006

By Kurt Seifried (kurt@seifried.org)

Port knocking is defined as:
In computing, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s). [1]

It can also be used on an end system such as a server or workstation to allow a connection to a network daemon after a specified set of network packets. For example a simple setup may consists of sending a packet to port 22222 which would in turn cause port 22 (SSH) to be opened to the IP address that sent the original packet to port 22222. Additionally systems can require specific payloads of data, for example an ICMP echo request could be sent with a data payload that consists of the port number to be opened.
The claimed benefit of all this is that attackers won’t even be able to access a port a service runs on, let alone connect to it properly and communicate with the network daemon servicing it. Of course this will only work for private services that do not need to be exposed publicly.
The problems with port knocking are:

  • It requires a modified firewall and/or network service daemons
  • It requires modified client software or additional client software that can send out specific packets
  • Depending on the scheme used an attacker may be able to send the right sequence of data, especially if they can monitor a session
  • It creates firewall rule exceptions that may not be fully understood or documented correctl

The benefits of port knocking are:

  • It will prevent generic port scanning of potentially sensitive services
  • It may allow important hosts to remain “invisible” online, reducing their exposure considerably
  • Many UNIX systems are capable of port knocking (client and server) with minimal additional software

[1] Port knocking, http://en.wikipedia.org/w/index.php?title=Port_knocking&oldid=61268911 (last visited July 2, 2006).
http://www.portknocking.org/
http://www.linuxjournal.com/article/6811

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Slashdot
  • Digg
  • del.icio.us
  • Reddit
  • digg
  • Technorati
  • StumbleUpon

Related posts:

  1. Port Knocking 102 Pros, Cons and Alternatives
  2. Miniature Computers That Can Break Your Network Wide Open
  3. Firewall 2.0 Focus Group - Initial Dates and Locations
  4. What’s Wrong with Firewalls?
  5. Bind 9.4.0 to address DNS reflection/amplification attacks by default

Posted by Kurt.Seifried on Monday, November 27th, 2006, at 8:00 am, and filed under Technical.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.