Port Knocking - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Port Knocking

Description:

A method is needed to monitor the firewall log file. A method is required to extract the sequence of ports from the log file and ... – PowerPoint PPT presentation

Number of Views:144
Avg rating:3.0/5.0
Slides: 11
Provided by: jennif69
Category:
Tags: knocking | method | port

less

Transcript and Presenter's Notes

Title: Port Knocking


1
Port Knocking
  • Jennifer C. Hou
  • Department of Computer Science
  • University of Illinois at Urbana Champagin

2
Port scanning
  • A method of probing a computer to see what ports
    are open.
  • A brute force operation
  • One simply tries to establish a connection to
    each and every port on the target computer.
  • When a connection is established, the caller
    makes note of the port number and continues on.
  • The caller can then examine these ports later to
    see if any known security holes exist.

3
Port Knocking
  • As long as ports remain open, network
    applications are susceptible to attack ? ports
    are initially closed.
  • A handful of ports are configured to deny all
    traffic no ICMP error packets are sent back to
    the connecting client.
  • Users make connection attempts to sequence of
    closed ports. All failed connection attempts are
    logged by the server-side packet filtering
    firewall and detected by a daemon that monitors
    the firewall log file.
  • When a properly formatted knock sequence is
    received, firewall rules are manipulated based on
    the information content of the sequence.

4
Example
  • Ports 100-109 are configured to deny all traffic.
  • ipchains -A input -p tcp -s 0/0 -d IPF/32 100109
    -j DENY -l
  • A user attempts to connect from IPC to the
    following firewall ports in sequence
    102,100,100,103.
  • From the point of view of the user, the
    connections fail silently.
  • On the firewall, the 102,100,100,103 number
    sequence has been recorded.
  • Feb 12 001326 ... input DENY eth1 PROTO6
    IPC64137 IPF102 ...
  • Feb 12 001327 ... input DENY eth1 PROTO6
    IPC64138 IPF100 ...
  • Feb 12 001327 ... input DENY eth1 PROTO6
    IPC64139 IPF100 ...
  • Feb 12 001328 ... input DENY eth1 PROTO6
    IPC64140 IPF103 ...
  • The knock sequence appears in the firewall log.

5
Implementation
  • A method is needed to monitor the firewall log
    file.
  • A method is required to extract the sequence of
    ports from the log file and translate them into
    usable information.
  • How to detect a port sequence begins and ends.
  • How to correctly detect a port sequence in the
    presence of spurious connection attempts that are
    not part of the sequence.

6
Example of Implementation
  • Ports 100-109 are used to listen to knocks.
  • The port sequence is expected to be of the form
  • 102,100,110 10a,10b,10c,10d 10(abcd
    mod 10) 110,100,102
  • header payload
    checksum footer
  • The first and last three ports let the port
    knocking dæmon know that a sequence is starting
    and ending.
  • The next four ports encode the port (abcd) to be
    opened.
  • For example, if a connection to port 143 is
    required, the sequence would be 100,101,104,103.
  • The final element in the sequence is a checksum
    that validates the sequence payload.
  • In this example, the checksum is 8 (143 mod
    10).
  • The full sequence would be 102,100,103
    100,101,104,103 108 103,100,102.

7
Example of Implementation
  • When this sequence is detected, port 143 would be
    made available to the incoming IP address.
  • If the port is open already, the knock would
    rendered it closed.
  • The knock can be extended to include additional
    information, such as an anticipated session
    length, that can be used to close the port after
    a set amount of time.

8
Mapping with Encryption
  • The information contained in the knock sequence
    can be encrypted to provide an additional measure
    of security.
  • Example
  • 256 ports are allocated and logged.
  • A knock map of the form
  • remote IP port time checksum
  • is used where the remote IP, port, time and
    checksum (sum of other fields mod 255) are
    encrypted.
  • The encrypted string can be mapped onto eight
    unsigned chars using, for example, Perl's
    pack("C",STRING) command.

9
Benefits
  • Port knocking provides a stealthy method of
    authentication and information transfer to a host
    that has no open ports.
  • It is not possible to determine successfully
    whether the machine is listening for knock
    sequences.
  • It is unlikely that the form of connection
    attempts would be detected by monitoring traffic.
  • A sequence can corresponds to a request that a
    port be opened for a specific length of time and
    then closed.

10
Disadvantages
  • Performance penality use of port knocking
    imposes an overhead for each connection.
  • A number of ports have to be allocated for
    exclusive use by port knocking.
  • In the case that no ports are initially open, if
    the listening daemon fails or is not able to
    interpret the knocks correctly, it becomes
    impossible to conect remotely to the host.
Write a Comment
User Comments (0)
About PowerShow.com