Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Port knocking
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Disadvantages == Port knocking is totally dependent on the robustness of the port knocking daemon. The failure of the daemon will deny port access to all users and from a usability and security perspective, this is an undesirable [[single point of failure]]. Modern port knocking implementations mitigate this issue by providing a process-monitoring daemon that will restart a failed or stalled port knocking daemon process. Systems that do not use cryptographic hashes are vulnerable to [[IP address spoofing]] attacks. These attacks, a form of [[Denial-of-service attack|Denial of service]], use port knocking functionality to lock out known IP addresses (e.g. administrator management stations) by sending packets with the spoofed IP address to random ports. Servers using static addressing are especially vulnerable to these types of denials of service as their addresses are well known. Port knocking can be problematic on networks exhibiting high latency. Port knocking depends on packets arriving in the correct sequence to access its designed functionality. TCP/IP, on the other hand, is designed to function by assembling out of order packets into a coherent message. In these situations, the only solution is for the client to continue resending the correct sequence of packets on a periodic basis until the sequence is acknowledged by the server. Port knocking cannot be used as the sole authentication mechanism for a server. From a security perspective, simple port knocking relies on [[security through obscurity]]; unintended publication of the knock sequence infers compromise of all devices supporting the sequence. Furthermore, unencrypted port knocking is vulnerable to packet sniffing. A network trace of suitable length can detect the correct knock sequence from a single IP address and thus provide a mechanism for unauthorised access to a server and by extension, the attached network. Once compromised, the log files on the device are a source of other valid knock sequences, revealing another point of failure. Solutions such as treating each knock sequence as a [[one-time password]] defeat the aim of simplified administration. In practice, port knocking must be combined with other forms of authentication that are not vulnerable to [[replay attack|replay]] or [[man-in-the-middle attack|man-in-the-middle]] attacks for the whole system to be effective.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)