Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Port knocking
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Benefits == Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a three-knock [[Transmission Control Protocol|TCP]] sequence (e.g. port 1000, 2000, 3000) would require an attacker to test every three port combination in the 1–65535 range and then scan each port between attacks to uncover any changes in port access on the target system. Since port knocking is by definition stateful, the requested port would not open until the correct three-port number sequence had been received in the correct order and without receiving any other intervening packets from the source. The [[Best, worst and average case|average case]] scenario requires approximately 141 trillion (65535<sup>3</sup> / 2) packets to determine a correct three-port number. This technique, in combination with knock attempt-limiting, longer or more complex sequences and cryptographic hashes, makes successful port access attempts extremely difficult. Once the successful port knock sequence is supplied to open a [[TCP and UDP port|port]], [[Firewall (networking)|firewall]] rules generally only open the port to the [[IP address]] that supplied the correct knock, adding dynamic functionality to firewall behaviour. Instead of using a preconfigured static IP [[whitelist]] on the firewall, an authorised user situated anywhere in the world would be able to open any necessary port without assistance from the server administrator. The system could also be configured to allow the authenticated user to manually close the port once the session is over or to have it close automatically using a timeout mechanism. To establish a new session, the remote user would be required to reauthenticate using the correct sequence. The stateful behaviour of port knocking allows several users from different source IP addresses to be at varying levels of port knock authentication simultaneously, allowing a legitimate user with the correct knock sequence through the firewall while the firewall itself is in the middle of a port attack from multiple IP addresses (assuming the bandwidth of the firewall is not completely consumed). From any other attacking IP address, the ports on the firewall will still appear to be closed. Using [[cryptographic]] hashes inside the port knock sequence defends against packet [[Packet sniffer|sniffing]] between the source and target machines, preventing discovery of the port knock sequence or using the information to create traffic replay attacks to repeat prior port knock sequences. Port knocking is used as part of a defense in depth strategy. Even if the attacker were to successfully gain port access, other port security mechanisms are still in place, along with the assigned service authentication mechanisms on the opened ports. Implementation of the technique is straightforward, using at the bare minimum a [[shell script]] on the server and a Windows batch file or command line utility on the client. Overhead on both the server and client in terms of traffic, [[Central processing unit|CPU]] and memory consumption is minimal. Port knock daemons are not complex to code, with a low audit burden. A port knock system implemented on password-authenticated services, like SSH, sidesteps the issue of [[Brute-force attack|brute force]] password attacks on logins. In the case of SSH, the [[Secure Shell|SSH]] daemon is not activated without the correct port knock, and the attack is filtered by the [[TCP/IP]] stack rather than using SSH authentication resources. To the attacker, the daemon is inaccessible until the correct port knock is supplied.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)