[cap-talk] Port Knocking
Jed Donnelley
capability at webstart.com
Wed Feb 7 19:52:55 CST 2007
At 05:27 PM 2/7/2007, David Hopwood wrote:
>Jed Donnelley wrote:
>...
> > http://en.wikipedia.org/wiki/Port_knocking
>...
> >...I can keep all ports closed to all hosts - seemingly protecting
> > against nearly any sort of attack against potentially buggy
> server software -
> > and then only open up specific ports to specific clients if they knock the
> > secret knock. It would certainly seem to limit, for example,
> sshd dictionary
> > attacks.
>
>I don't see the attraction:
>
> - it substantially increases the latency of making a connection;
>
> - it magnifies any unreliability of the network -- all of the packets
> making up the "knock" have to get through correctly;
>
> - judging by "As a stateful system, the port would not open until after the
> correct three-digit sequence had been received *in order*"
> [emphasis added]
> and the fact that the client receives no acknowledgements at that stage,
> it seems like there is a basic misunderstanding of what packet ordering
> guarantees are (not) given by IP.
The above seem to me to be performance issues (latency and reliability). Since
I haven't tried any particular implementation I can't comment on the above.
> - the port sequence can't be hidden from any passive eavesdropper (unless
> you use IPsec, but then why do you need the knock?);
If my worst threats came from those doing passive eavesdropping and
those threats weren't any worse than what I now have then I'd be delighted.
Still, you don't mention the client-side software issue that seems to me
the most significant problem with port knocking, though it might be possible
to deal with it.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list