patrickroy.ca

Port knocking has been a subject of interest to geeks, security buffs and myself for a long time. This article is the first of a serie were I’ll share my experiences and research into this field. After looking into port knocking, I’ll be covering it’s cousin : Single Packet Authorization.

Port Knocking

Port knocking aims at keeping your private services even more private by keeping the door closed until someone shows up and knock on it using the secret code : “Knock knock knock knock knock, one second pause, knock knock”. It’s actually a little bit more complicated than that but at least you now know how it works.

Here’s a high level view of port knocking to help you situate it within your network security onion.

Transitioning from a high level view to a close-up one, here’s how port knocking works :

The first step in implementing port knocking on your system is to setup a small program that read your firewall logs. Then you must decide what logs makes it react and what actions need to be taken. I’ll explain the action part later. The trick then is to send traffic to your firewall that makes it generate the log entries your program is looking for. The working principle is quite simple and elegant but as usual, the devil’s in the details.

What actions were you talking about?

That’s the most interesting part: You decide what must be done. The action can be anything you can program your firewall to do!

Following is an example of the simplest and most common kind of port knocking implementation which consist of opening a TCP/IP Port for a remote IP. Now, imagine that Bob wants Alice to use port knocking to connect to his private web server, here’s how he could do it :

• Bob setup his firewall with all port closed and configure it to log invalid connection attempts without replying.
• Bob setups a small daemon to read his firewall log and when the firewall blocks packets addressed to port 1234 and 12345, in that particular order and from the same IP, it opens up port 80 for the IP that has sent the packets. (The three items below will be explained in the next article.)
  • The logs is the covert channel.
  • The packets to port 1234 and 12345 are the knock.
  • Opening up the port 80 is the action.
• Bob tells Alice in a secured manner how to knock on his firewall.
• Alice sends the knock : a packet to the port 1234 and then to the port 12345. Alice now expects the port 80 to be opened and initiates a connection to port 80.

Someone from the internet could try to scan your system for open services and fail while Alice is logging in simultaneously into your web server!

Nothing prevents you from making the daemon do something else than modifying your firewall. For example you could make it initiate a reverse ssh session or even, order a pizza…

Single Packet Authorization

Single Packet Authorization is very similar to port knocking. The difference lays in the knock. Instead of a secret knock sequence, you need to tell the door a password as in the famous “Open Sesame!”.

On a more technical level, Single Packet Authorization works as port knocking with two main differences:

1. Instead of using port numbers, the knock is inclosed into the data of a packet. You must have a way to inspect the content of the traffic with some kind of Deep Packet Inspection technology for SPA to work. Wireshark or TCPdump could fit the bill nicely.
2. The message included in the packet must be analyzed by a daemon.

SPA uses what is called a “Magic Packet” which contains the knock in its data payload. This magic packet can contain any data you want. It may range from a simple password (in clear text or hashed) to an asymmetric encryption system closer in functionality to SSL. What limits you is a tradeoff between usability, security and performance.

Here’s an example of SPA in action with our friends Alice and Bob :

• Bob setups his firewall with all port closed and configure it to log invalid connection attempt without replying.
• Bob setups a small daemon that inspect incoming traffic. when it receives an ICMP Ping packet, it analyzes it. If it contains the word “Passw0rd” in it’s payload it opens up the port 80 for the originating IP. (or whatever action you want including executing command contained within the payload)
• Bob tells Alice in a secure manner how to knock on his firewall.
• Alice sends the knock : a magic packet containing the word “Passw0rd”. Alice expects the port 80 to be opened and initiates a connection to port 80.

Simple? Yes. But it isn’t really secure. An attacker who can sniff traffic outside your firewall could listen to the knock and simply replay it to your firewall after substituting Alice’s IP with his own.

There are solutions to this problem but every one of them adds complexity and has a negative impact on performances. They are out of the scope of this paper but I’ll list some general strategies for the sake of completeness.

The Magic Packet payload could look something like this :

• Symmetric key : a pre-shared password is used
  • Hash ( “Passw0rd” + Time stamp + salt )
• Asymmetric key : a Public Key Infrastructure is used :
  • Alice uses her private key to sign a message and encrypts it with Bob’s public key. The message might contain a time stamp to help thwart replay attacks.

Some questions must be answered before deploying a port knocking or single packet authorization setup:

• How do you detect when a connection is not needed anymore?
• How do you cope with packets that arrives out of order?
• How do you prevent replay attack?
• How do you manage concurrent users?
• How do you share the knock securely?

Those questions will all be addressed in following articles.

As simple as it is in theory, in practice there are lots of gotchas that must be deal with. There’s a large volume of literature available on Internet covering different knocking methods with their pro’s and con’s. Good places to look for info is portknocking.org and wikipedia.org/wiki/Port_knocking. For a list of working implementations take a look at : http://portknocking.org/view/implementations.

You can continue your reading on port knocking with my second article : Defining Knocking

Special thanks to Jerome Gauthier for reviewing this articles.

• Tweet