[cap-talk] Port Knocking

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Wed Feb 7 19:27:50 CST 2007

Jed Donnelley wrote:
> cap-talk,
> I hadn't previously heard of this idea:
> http://en.wikipedia.org/wiki/Port_knocking
> I like it.  In the first blush of newness it seems to have some great 
> properties.
> Mainly that I can keep all ports closed to all hosts - seemingly protecting
> against nearly any sort of attack against potentially buggy server software -
> and then only open up specific ports to specific clients if they knock the
> secret knock.  It would certainly seem to limit, for example, sshd dictionary
> attacks.

I don't see the attraction:

 - it substantially increases the latency of making a connection;

 - it magnifies any unreliability of the network -- all of the packets
   making up the "knock" have to get through correctly;

 - the port sequence can't be hidden from any passive eavesdropper (unless
   you use IPsec, but then why do you need the knock?);

 - judging by "As a stateful system, the port would not open until after the
   correct three-digit sequence had been received *in order*" [emphasis added]
   and the fact that the client receives no acknowledgements at that stage,
   it seems like there is a basic misunderstanding of what packet ordering
   guarantees are (not) given by IP.

David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list