In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization exists, where only a single "knock" is needed, consisting of an encrypted packet.
The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.
Overview
Port knocking is usually implemented by configuring a daemon to watch the firewall log file for said connection attempts then modify the firewall configuration accordingly. It can also be performed by a process examining packets at a higher level (using packet capture interfaces such as pcap), allowing the use of already "open" TCP ports to be used within the knock sequence.
The port "knock" itself is similar to a secret handshake and can consist of any number of TCP, UDP or even sometimes ICMP and other protocol packets to numbered ports on the destination machine. The complexity of the knock can be anything from a simple ordered list (e.g. TCP port 1000, TCP port 2000, UDP port 3000) to a complex time-dependent, source-IP-based and other-factor-based encrypted hash.
A portknock daemon on the firewall machine listens for packets on certain ports (either via the firewall log or by packet capture). The client user would carry an extra utility, which could be as simple as netcat or a modified ping program or as complicated as a full hash-generator, and use that before they attempted to connect to the machine in the usual way.
Most portknocks are stateful systems in that if the first part of the "knock" has been received successfully, an incorrect second part would not allow the remote user to continue and, indeed, would give the remote user no clue as to how far through the sequence they failed. Usually the only indication of failure is that, at the end of the knock sequence, the port expected to be open is not opened. No packets are sent to the remote user at any time.
While this technique for securing access to remote network daemons has not been widely adopted by the security community, it has been actively used in many rootkits even before year 2000.
Benefits
Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a three-knock TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker to test every three port combination in the 1–65535 range and then scan each port between attacks to uncover any changes in port access on the target system. Since port knocking is by definition stateful, the requested port would not open until the correct three-port number sequence had been received in the correct order and without receiving any other intervening packets from the source. The average case scenario requires approximately 141 trillion (655353 / 2) packets to determine a correct three-port number. This technique, in combination with knock attempt-limiting, longer or more complex sequences and cryptographic hashes, makes successful port access attempts extremely difficult.
Once the successful port knock sequence is supplied to open a port, firewall rules generally only open the port to the IP address that supplied the correct knock, adding dynamic functionality to firewall behaviour. Instead of using a preconfigured static IP whitelist on the firewall, an authorised user situated anywhere in the world would be able to open any necessary port without assistance from the server administrator. The system could also be configured to allow the authenticated user to manually close the port once the session is over or to have it close automatically using a timeout mechanism. To establish a new session, the remote user would be required to reauthenticate using the correct sequence.
The stateful behaviour of port knocking allows several users from different source IP addresses to be at varying levels of port knock authentication simultaneously, allowing a legitimate user with the correct knock sequence through the firewall while the firewall itself is in the middle of a port attack from multiple IP addresses (assuming the bandwidth of the firewall is not completely consumed). From any other attacking IP address, the ports on the firewall will still appear to be closed.
Using cryptographic hashes inside the port knock sequence defends against packet sniffing between the source and target machines, preventing discovery of the port knock sequence or using the information to create traffic replay attacks to repeat prior port knock sequences.
Port knocking is used as part of a defense in depth strategy. Even if the attacker were to successfully gain port access, other port security mechanisms are still in place, along with the assigned service authentication mechanisms on the opened ports.
Implementation of the technique is straightforward, using at the bare minimum a shell script on the server and a Windows batch file or command line utility on the client. Overhead on both the server and client in terms of traffic, CPU and memory consumption is minimal. Port knock daemons are not complex to code; any type of vulnerability within the code is obvious and auditable.
A port knock system implemented on ports such as the SSH sidesteps the issue of brute force password attacks on logins. In the case of SSH, the SSH daemon is not activated without the correct port knock, and the attack is filtered by the TCP/IP stack rather than using SSH authentication resources. To the attacker, the daemon is inaccessible until the correct port knock is supplied.
Security considerations
Port knocking is a flexible, customisable system add-in. If the administrator chooses to link a knock sequence to an activity such as running a shell script, other changes such as implementing additional firewall rules to open ports for specific IP addresses can easily be incorporated into the script. Simultaneous sessions are easily accommodated.
In addition to mitigating brute force password attacks and the inevitable growth in logs associated with the process daemon, port knocking also protects against protocol vulnerability exploits. If an exploit was discovered that could compromise a daemon in its default configuration, using port knocking on the listening port reduces the possibility of compromise until the software or process is updated. Authorized users would continue to be served once they provide the correct knock sequence while random access attempts would be ignored.
Port knocking should only be viewed as part of an overall network defense strategy providing protection against random and targeted attacks, not as complete standalone solution.
Network Security Professionals have largely ignored port knocking as a solution in the past since early implementations relied solely on providing the correct port combinations to achieve access. Modern port knock systems incorporate features such as secure cryptographic hashes, blacklists, whitelists and dynamic attack responses to further increase system capability. Port knocking is an effective means of maximizing server resources on internet facing networks.
Properly implemented port knocking does not lower the overall security of a system. It is an effective measure that provides an additional layer of security with minimal server resource overhead. At worst, systems such as port knocking introduce new security issues through poor implementation or expose ambivalent administration attitudes through situations such as risk compensation.
Disadvantages
Port knocking is totally dependent on the robustness of the port knocking daemon. The failure of the daemon will deny port access to all users and from a usability and security perspective, this is an undesirable single point of failure. Modern port knocking implementations mitigate this issue by providing a process monitoring daemon that will restart a failed or stalled port knocking daemon process.
Systems that do not use cryptographic hashes are vulnerable to IP address spoofing attacks. These attacks, a form of Denial of service, use port knocking functionality to lock out known IP addresses (e.g. administrator management stations) by sending packets with the spoofed IP address to random ports. Servers using static addressing are especially vulnerable to these types of denials of service as their addresses are well known.
Port knocking can be problematic on networks exhibiting high latency. Port knocking depends on packets arriving in the correct sequence to access its designed functionality. TCP/IP, other hand, is designed to function by assembling out of order packets into a coherent message. In these situations, the only solution is for the client to continue resending the correct sequence of packets on a periodic basis until the sequence is acknowledged by the server.
Port knocking cannot be used as the sole authentication mechanism for a server. From a security perspective, simple port knocking relies on security through obscurity; unintended publication of the knock sequence infers compromise of all devices supporting the sequence. Further, unencrypted port knocking is vulnerable to packet sniffing. A network trace of suitable length can detect the correct knock sequence from a single IP address and thus provide a mechanism for unauthorised access to a server and by extension, the attached network. Once compromised, the log files on the device are a source of other valid knock sequences, revealing another point of failure. Solutions such as treating each knock sequence as a one-time password defeat the aim of simplified administration. In practice, port knocking must be combined with other forms of authentication that are not vulnerable to replay or man-in-the-middle attacks for the whole system to be effective.