You are on page 1of 10

Port Knocking

Jennifer C. Hou
Department of Computer Science
University of Illinois at Urbana
Port scanning
 A method of probing a computer to see
what ports are open.
 A brute force operation
 One simply tries to establish a connection to
each and every port on the target
 When a connection is established, the caller
makes note of the port number and
continues on.
 The caller can then examine these ports
later to see if any known security holes
Port Knocking
 As long as ports remain open, network applications are
susceptible to attack  ports are initially closed.
 A handful of ports are configured to deny all traffic – no
ICMP error packets are sent back to the connecting
 Users make connection attempts to sequence of closed
ports. All failed connection attempts are logged by the
server-side packet filtering firewall and detected by a
daemon that monitors the firewall log file.
 When a properly formatted knock sequence is received,
firewall rules are manipulated based on the information
content of the sequence.
 Ports 100-109 are configured to deny all traffic.
 ipchains -A input -p tcp -s 0/0 -d IPF/32 100:109 -j
 A user attempts to connect from IPC to the following firewall
ports in sequence: 102,100,100,103.
 From the point of view of the user, the connections fail silently.
 On the firewall, the 102,100,100,103 number sequence has
been recorded.
 Feb 12 00:13:26 ... input DENY eth1 PROTO=6 IPC:64137 IPF:102 ...
 Feb 12 00:13:27 ... input DENY eth1 PROTO=6 IPC:64138 IPF:100 ...
 Feb 12 00:13:27 ... input DENY eth1 PROTO=6 IPC:64139 IPF:100 ...
 Feb 12 00:13:28 ... input DENY eth1 PROTO=6 IPC:64140 IPF:103 ...
 The knock sequence appears in the firewall log.
 A method is needed to monitor the
firewall log file.
 A method is required to extract the
sequence of ports from the log file and
translate them into usable information.
 How to detect a port sequence begins and
 How to correctly detect a port sequence in
the presence of spurious connection
attempts that are not part of the sequence.
Example of
 Ports 100-109 are used to listen to knocks.
 The port sequence is expected to be of the form:
102,100,110 10a,10b,10c,10d 10(a+b+c+d mod 10)
header payload checksum
 The first and last three ports let the port knocking dæmon
know that a sequence is starting and ending.
 The next four ports encode the port (abcd) to be opened.
 For example, if a connection to port 143 is required, the sequence
would be 100,101,104,103.
 The final element in the sequence is a checksum that validates
the sequence payload.
 In this example, the checksum is 8 (1+4+3 mod 10).
 The full sequence would be 102,100,103 100,101,104,103
108 103,100,102.
Example of
 When this sequence is detected, port 143 would be
made available to the incoming IP address.
 If the port is open already, the knock would rendered it
 The knock can be extended to include additional
information, such as an anticipated session length, that
can be used to close the port after a set amount of
Mapping with Encryption
 The information contained in the knock
sequence can be encrypted to provide an
additional measure of security.
 Example:
 256 ports are allocated and logged.
 A knock map of the form
remote IP port time checksum
is used where the remote IP, port, time and
checksum (sum of other fields mod 255) are
 The encrypted string can be mapped onto eight
unsigned chars using, for example, Perl's
pack("C*",STRING) command.
 Port knocking provides a stealthy method of
authentication and information transfer to a
host that has no open ports.
 It is not possible to determine successfully
whether the machine is listening for knock
 It is unlikely that the form of connection
attempts would be detected by monitoring
 A sequence can corresponds to a request that
a port be opened for a specific length of time
and then closed.
 Performance penality: use of port
knocking imposes an overhead for each
 A number of ports have to be allocated
for exclusive use by port knocking.
 In the case that no ports are initially
open, if the listening daemon fails or is
not able to interpret the knocks
correctly, it becomes impossible to
conect remotely to the host.