Closed Port Authentication with Port Knocking
Phil Lunsford, Evan C. Wright
East Carolina University, Greenville, NC
Abstract
Port knocking is a promising new technology to further secure remote services. This technology
can be used to keep all TCP ports closed until a user has authenticated with a port knock
sequence. During the port knock sequence all ports remain closed, thus rendering the server
invisible to any malicious port scans. After a valid knock sequence has been verified by the
system, a predetermined TCP or UDP port is opened allowing for a standard connection for a
predefined service. This allows an extra layer of authentication at the transport layer without
requiring changes to the application. A review of the current implementations is given.
Introduction
The addressing scheme for the TCP/IPv4 protocol allows for a unique 32-bit IP address for each
computer. In addition to an IP address for a computer, 16-bit port numbers are used to establish
logical connections for transmission of data. For a given packet being transmitted from a source
to a destination, there is a total of two IP addresses, source and destination, and also two ports,
source and destination. Most applications transmit data based on a client/server architecture.
One machine is the server and the other is the client. When the client requests data from a
server, the destination port number used in the requesting packet determines the service. For
example, for a web browser running on a client computer to access a web page, a datagram with
the destination of port 80 is sent to the server. The association of well known services to port
numbers is maintained by IANA1. Each of the well known ports can be though of as a door,
behind which a certain service resides. The two IP addresses and the two port numbers all
together identify a socket, or an end-to-end logical communication link between two devices.
TCP sockets are established with a 3-way handshake as shown in figure 1. The client initiates
the connection with a synchronize (SYN) packet. The server responds with a SYN-ACK packet
that requests synchronization with the client, and also acknowledges (ACK) the initial SYN
packet. The final part of the handshake is an ACK packet that the client sends to the server.
This handshake provides a robust method to establish a socket but also allows anonymous
information gathering. Programs such as NMAP2 send SYN packets and other packet types that
normally initiate some sort of reply. These replies are analyzed to answer questions such as “Is
the IP address valid with a device that is powered on?”, “What services are offered on the
machine?”, and even “What operation system is running?”. This information can be gathered
automatically and can be used to plan a malicious attack or may automatically be used by
Page 10.309.1
malware to launch attempts at compromising identified machines. Server ports can be kept
Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition
Copyright © 2005, American Society for Engineering Education
�closed allowing responses denying a connection, or they can be configured to drop incoming
packets, effectively not responding to any packet, often referred to as “stealth” mode. A server
with all ports in stealth mode is invisible to malicious scans, but of course is not normally able to
offer any services. Unfortunately, many operation system configuration defaults are set to have
ports open. For instance in Microsoft Windows, the file sharing port is open by default.
Network devices such as routers also often have ports open by default, aiding in the simplicity of
creating a working configuration, but at the detriment of security.
Computer SYN - Server
initial re
quest
to Serv from Client
er
from
K r es ponse
C
SYN-A er to client
serv
ACK re
sponse
from cli
server ent to
Figure 1. TCP Three-way Handshake
Port knocking is a technique suggested as early as February 20033 and has been well documented
online by Krzywinski 4,5. This technique adds another layer of authentication and helps reduce
the information available from malicious scans. A basic implementation of port knocking is
shown in figure 2. All ports are initially in stealth mode. For a client to obtain a service, it first
must send a predefined sequence of SYN or other predefined type packets to the server. The port
numbers used and the order and time period that they are received determine if the knock
sequence is valid. Sequences of packets that are received in the wrong order or contain the
wrong port numbers will not be recognized as a valid knock sequence. Sequences that are not
received within a predefined time interval will not be recognized. When a valid sequence is
received, a predetermined port is opened and the client can then initiate a socket for that service.
Since the knock sequence contains the source IP address (the IP address of the client), the server
has the information available to open the port exclusively for only the knocking client. This
technique allows for the server to normally remain in stealth mode, but still allow for trusted
connections, effectively adding a layer of authentication to the system.
Page 10.309.2
Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition
Copyright © 2005, American Society for Engineering Education
� SYN - First K
Computer
first req nock: Server
uest fro
m Clien
Server t to
No response from server
Second
SYN - K
reques nock:
Server t from
- differe Client to
nt port
No response from server
Last Kn
SYN -
reques ock:
Server t from
- differe Client to
nt port
No response from server, but
configuration on server changed
to open predefined port to client
SYN -
reques
t from C
Server
to open lient to
port
se from
CK respon
SYN-A t
to clien
server
ACK re
sponse
from cli
server ent to
Figure 2. Port Knock sequence followed by socket establishment with
TCP Three-way Handshake
Page 10.309.3
Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition
Copyright © 2005, American Society for Engineering Education
� No. Ti me Sour c e Des t i nat i on Pr ot oc ol I nf o
1 0. 000000 192. 168. 1. 14 192. 168. 1. 3 TCP 32904 > 10000 [ SYN]
No. Ti me Sour c e Des t i nat i on Pr ot oc ol I nf o
2 0. 000088 192. 168. 1. 14 192. 168. 1. 3 TCP 32905 > 11000 [ SYN]
No. Ti me Sour c e Des t i nat i on Pr ot oc ol I nf o
3 0. 000213 192. 168. 1. 14 192. 168. 1. 3 TCP 32906 > 12000 [ SYN]
No. Ti me Sour c e Des t i nat i on Pr ot oc ol I nf o
4 0. 000272 192. 168. 1. 14 192. 168. 1. 3 TCP 32907 > 11000 [ SYN]
No. Ti me Sour c e Des t i nat i on Pr ot oc ol I nf o
5 0. 000372 192. 168. 1. 14 192. 168. 1. 3 TCP 32908 > 10000 [ SYN]
Figure 3. Output from Ethereal Showing Port Knock Sequence.
The major flaw in basic port knocking is its susceptibility to a replay attack. This is attack
consists of monitoring the server traffic, then resending that data from a malicious client at a
later time. Since port knocks consist of a unicast port-opening attempt from one host to another,
all of the information is readily available if the network traffic can be monitored. Figure 3 shows
the output from Ethereal6 network protocol analyzer program from a capture during a port knock
sequence. This clearly shows the port knock sequence to be 10000, 11000, 12000, 11000, 10000
and illustrates the vulnerability when the traffic to the server can be monitored. This illustrates a
major obvious flaw in simple port knocking. It is vulnerable to replay attacks if the server is on
the same LAN, or if the malicious user has administrator access to a computer or other network
device that is connected to the LAN.
Implementations
Various implementations are available but most are for Linux/UNIX systems only. Programming
languages used include C, C++, Perl, Java, BASH, and Python. Implementations and variations
are being released very quickly. For a current summary of port knocking implementations, see
Martin Krzywinski’s web site www.portknocking.org.
Released by Vinet7, the knockd daemon implementation for Linux/Unix systems provides a
simple, easily configurable, port knocking scheme. This implementation, as most, relies on the
iptables kernel function for packet filtering. Thus a software firewall is already implement on
the system. A log of the connection attempts is monitored by the knockd daemon and the firewall
rules are automatically changed when a valid knock sequence is detected. The knock sequence
is defined in a file named knockd.conf located in the directory of compilation or in the /etc
directory. This implementation currently suffers from the vulnerability to replay attacks. For
basic implementations like knockd, we recommend a fairly long knock sequence of 20 or more
knocks. Furthermore, the sequence should contain repeated ports multiple times. This will
strengthen the resistance to a port scanning program accidentally opening a port with a valid
knock sequence.
Strictly speaking, port knocking in its simplest form cannot be encrypted. The ports are
contained within the TCP header which remains in clear-text form. Variations to port knocking
Page 10.309.4
have been developed that move the authentication token from a sequence of knocks to a UDP
Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition
Copyright © 2005, American Society for Engineering Education
�packet payload. Some authors do not consider this true port knocking since there is no knock
sequence, but the idea of keeping ports closed and selectively opening them only under certain
conditions triggered by incoming packets is common to both methods. Both methods can be
referred to as “IP over closed ports”. One such early implementation, cryptknock8, uses SSL type
data exchange to prevent replay attacks, the main vulnerability to basic port knocking.
Cryptknock uses symmetric encryption with the RC4 Algorithm to encrypt a password. With
symmetric encryption the only caveat is that the key must remain secret and be known to both
the client and server. Diffie-Hellman key exchange is used to establish a session key that is then
used to encrypt the secret password. Key to the implementation of cryptknock is the utilization of
the LIBPCAP library to listen to all incoming packets regardless of header information such as
destination port number. With this implementation of the LIBPCAP library, a packet can be
inspected before the firewall rules are applied. UDP was chosen in lieu of TCP due to the
connectionless and low overhead nature of UDP. Thus a three-way handshake is unnecessary in
this implementation. Since cryptknock does not use a certificate authority to provide
authentication information, the weaknesses9,10 of Diffie-Hellman key exchange without any a
certificate authority apply to this technique.
CÖK: Cryptographic One Time Knocks released by David Worth11 in Java implements an
additional layer of complexity by dynamically changing the authentication token by using one-
time passwords to encrypt information in a UDP packet. Thus the payload or data from the UDP
packet triggers a port to be opened, but the payload changes for each knock sequence using the
well-known methods of S/Key (RFC 1670) or OTP (RFC 2289). Worth points out that replay
attacks can be easily detected and action can be taken against the attacker if warranted.
Fwknop released by Michael Rash12 adds the use of OS detection or system fingerprinting13 so
only a certain client operating system and version is allowed. Active OS detection is commonly
used with network exploration tools such as NMAP and XPROBE2 to determine what operating
system a computer is running. Fwknop uses passive OS fingerprinting which implies
fingerprinting without necessarily sending extra probing packets. One part of an operating
system that is commonly unique is the random number generator. The random number generator
is normally used to create initial sequence numbers when first establishing a network connection.
These random number generators of the operating systems also create other values and have
noticeable patterns13. These patterns can be used to identify the operating system that is running
on the client. Combining system fingerprinting with standard port knocking functions require an
authenticating client to not only match a specific knock sequence but also a particular OS
fingerprint.
In May of 2004 Cappella and Keong14 released a scheme to strengthen the resistance to replay
attacks and man-in-the-middle attacks. In this scheme, the server maintains a list of
username/password tuples. For a port to be opened, the following takes place in order:
1. The client creates a random port-knock sequence and encrypts it with the user’s
password. This sequence includes not only predefined port numbers in a sequence, but
also predefined 32–bit initial sequence numbers (ISN). This information along with the
username is sent in a UDP packet, P1, to the server. The username is in plain text, but the
Page 10.309.5
rest of the information is encrypted.
Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition
Copyright © 2005, American Society for Engineering Education
� 2. The server decrypts P1 and waits for the client to send the port knock sequence.
3. The client sends the port knock sequence.
4. The client sends another encrypted UDP packet, P2, which requests the status of the port
knock.
5. After receiving the port knock sequence and P2, the server opens a random port (for the
client IP only) and uses port forwarding to provide the requested service. The server also
sends an encrypted UDP packet, P3, that gives that client the port number.
6. The client receives and decrypts P3 and initiates the appropriate socket.
Note that port forwarding is different from port triggering. Port triggering is currently available
on low-end NAT firewalls. In port triggering, a connection initiated from a client inside to an
outside server will automatically cause connections from that outside server to be forwarded to
initiating inside client. Port forwarding, on the other hand, is just the automatic translation of a
port number to a different number as the packet passes through a given connection through a
firewall or interface.
In order to resist replay attacks, a time stamp value is included in P1, P2, and P3. For any of
these packets to be considered valid, the time stamp must be later than the last received packet
from that client. Cappella and Keong’s first scheme has the disadvantage of being
computationally resource intensive on the reception of the first packet. To try to protect against
resource starvation attacks, incoming packets are vetted before being processed.
In June of 2004, Cappella and Keong released another port knocking scheme15 to strengthen the
attack resistance. The May implementation had the limitation of sending the user name in clear
text, of being somewhat susceptible to computation resource starvation attacks, of relying on the
client random number generator, and of the weakness of the timestamp technique for preventing
replay attacks. The new implementation requires that the client maintain a current one-time
port/ISN knock sequence in addition to username/password tuple. The currently valid knock
sequence can be encrypted on the client’s disk using the username/password hash. In this
scheme, the following sequence takes place:
1. The client sends the current port/ISN knock sequence to the server.
2. Upon receipt of a valid knock sequence, the server opens a random port to the knocking
client and forwards it appropriately. The server also sends a single encrypted UPD
packet to the client that contains the port number to open and also a new port/ISN knock
sequence to store and use for the next connection attempt.
Advantages
The main advantage of port knocking is the ability to hide a server from scanning. Port scanning
is a powerful tool when used for malicious information gathering. The second advantage of port
scanning is that it adds another form of authentication thus adding another layer of security to the
network. Advanced port knocking techniques use encryption to provide for strong authentication
if the client and server keep the username, password, and other parameters secure. The primary
Page 10.309.6
use of port knocking is at a firewall, but sensitive servers within an enterprise can also be
Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition
Copyright © 2005, American Society for Engineering Education
�considered candidates to thwart malicious scanning and malicious connection attempts from a
compromised machine behind the firewall.
Disadvantages
Port knocking adds yet another layer of complexity to the process of connecting to a server
which can hinder troubleshooting of network problems. Additionally, clients need some way to
implement the knock sequence. This can be as simple as using a standard telnet program, or it
can be a separate dedicated program that must be maintained on the client. As with any
authentication scheme, information (e.g. passwords, sequence numbers) must be kept secret for
the system to be secure.
Since the server implementation allows for automatically changing firewall rules, care must be
taken to use reliable, well tested, code. If a knock daemon fails, or doesn’t work correctly, the
system could be unreachable or more easily compromised. Simple implementations of port
knocking do not discriminate the client well if it is behind a NAT firewall. Implementations that
use encryption can be more susceptible to compute resource starvation attacks.
Lastly, knock integrity can be compromised in a congested network environment. If the knock
sequence leaves the client in proper order, but an intermediate packet is delayed resulting in an
out-of-sequence arrival, then the server will read the knock as invalid. Sequences with large
number of knocks can take up to a minute to execute16. Finally, as pointed out by Tony
Bradley18, malware authors can use this technique to hide back doors inserted into compromised
machines.
Conclusions
Port knocking and its variations seem to be a promising technology to add a layer of security to
any networked system. The main advantage is the ability to provide services but reduce
malicious information gathering capabilities. It also provides an added layer of authentication to
a system without the need to modify the existing applications. Although in its infancy, the
technology may quickly develop and be integrated into operating systems and network devices if
standards can be developed and adopted by the security community.
BIBLIOGRAPHIC INFORMATION
1. http://www.iana.org/assignments/port-numbers
2. http://www.insecure.org/nmap/
3. “Port Knocking for Added Security” February 5 2003. Slashdot.org., downloaded from
http://slashdot.org/articles/04/02/05/1834228.shtml?tid=126&tid=172
4. Krzywinski, R. “Port Knocking: Network Authentication Across Closed Ports,” SysAdmin Magazine, vol. 12,
June 2003, pp. 12-17.
5. http://www.portknocking.org/
6. http://www.ethereal.com/
Page 10.309.7
7. Vinet, J., “Knockd: A Simple Port-Knocking Daemon” May 07 2004, http://www.zeroflux.org/knock/
8. Walko, J., “Cryptknock” Sourceforge, June 2004. downloaded from http://cryptknock.sourceforge.net/
Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition
Copyright © 2005, American Society for Engineering Education
�9. Raymond, R. and Stilgnic, A., “Security Issues in the Diffie-Hellman Key Agreement Protocol”, IEEE Trans.
On Information Theory, pages 1-17, 1998.
10. Bresson, E. Chevassur, O. Pointcheval, D. “The Group Diffie-Hellman Problems” , Workshop on Selected
Areas in Cryptography 2002 (15-16 August 2002, St. John’s Newfoundland, Canada), H. Heys and K. Nyberg
Eds. Springer-Verlag, LNCS 2595, pages 325-338.
11. Worth, D., “CÖK – Cryptographic One-Time Knocking”, Black Hat USA 2004.
12. Rash, M. “fwknop: the Firewall Knock Operator”, released at DEF CON 12, July 2004, Las Vegas, NV
13. Nazario, J., “Passive System Fingerprinting using Network Client Applications” CrimeLabs Research. January
2001, downloaded from http://www.crimelabs.net/docs/passive.pdf
14. Cappella and T.C. Keong, “Remote Server Management Using Dynamic Port Knocking and Forwarding”,
Special Interest Group in Security and Information Integrity, May 2004 downloaded from
http://www.security.org.sg/code/portknock1.html
15. Cappella and T.C. Keong, “Remote Server Management With One-Time Port Knocking (OTPK)”, Special
Interest Group in Security and Information Integrity, June 2004, downloaded from
http://www.security.org.sg/code/portknock2.html
16. Narayanan, A. “A critique of port knocking”, News Forge, August 2004, downloaded from
http://software.newsforge.com/article.pl?sid=04/08/02/1954253
17. Graham-Cumming J, “Practical secure port knocking,” DR DOBBS JOURNAL, vol. 29, issue 11, November
2004, pp. 51-53
18. Bradley, T., “Port Knocking”, About.com, downloaded from
http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm
BIOGRAPHICAL INFORMATION
Phil Lunsford received a B.S. in Electrical Engineering and a M.S. in Electrical Engineering from Georgia
Institute of Technology and a Ph.D. in Electrical Engineering from North Carolina State University. He is a
registered professional engineer and is currently an Assistant Professor at East Carolina University. His research
interests include system simulation and network security.
Evan C. Wright, CCNP, CCNA, Security+, Network+, A+, has over 9 years experience dealing with IP based
Computer Networks. Evan is currently the network administrator at ABCPhones of North Carolina, and a Senior at
East Carolina University. Evan's areas of interest` include large-scale routing environments, migration to open
source alternatives, and Information Security.
Page 10.309.8
Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition
Copyright © 2005, American Society for Engineering Education
