[cap-talk] Port Knocking
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Wed Feb 7 19:27:50 CST 2007
Jed Donnelley wrote:
> cap-talk,
>
> I hadn't previously heard of this idea:
>
> http://en.wikipedia.org/wiki/Port_knocking
>
> I like it. In the first blush of newness it seems to have some great
> properties.
>
> Mainly that I can keep all ports closed to all hosts - seemingly protecting
> against nearly any sort of attack against potentially buggy server software -
> and then only open up specific ports to specific clients if they knock the
> secret knock. It would certainly seem to limit, for example, sshd dictionary
> attacks.
I don't see the attraction:
- it substantially increases the latency of making a connection;
- it magnifies any unreliability of the network -- all of the packets
making up the "knock" have to get through correctly;
- the port sequence can't be hidden from any passive eavesdropper (unless
you use IPsec, but then why do you need the knock?);
- judging by "As a stateful system, the port would not open until after the
correct three-digit sequence had been received *in order*" [emphasis added]
and the fact that the client receives no acknowledgements at that stage,
it seems like there is a basic misunderstanding of what packet ordering
guarantees are (not) given by IP.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list