Port Knocking
Software Project Presentation Paper Study – Part 1
Group member:
Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)
Agenda
Basic Networking
Firewall
Network Attacks
Introduction to Port Knocking
Mechanism of Port Knocking
Introduction
Computer network is built on top of protocol stack
◦OSI Model: 7 layers
Operating system perform networking by using network socket as an
interface to communicate to other hosts
TCP/IP is the most common network protocol stack in modern networking
◦Each host on the network are associated with an IP address
However, there are many application that may be performing network
communication at the same time
◦OS uses ports to identify the applications that need to receive a certain network data
*Reference image taken from
http://commons.wikimedia.org/wiki/File:Osi-model- jb.png
TCP/IP – Internet Protocol Suite
A simpler model consist of 5 layers
Generally 2 types of packet
◦ TCP Segment
◦ UDP Datagram
3
rdtype is a RAW Packet
◦ Used together with RAW Socket
◦ Limited support in Windows
◦ More capabilities possible in UNIX/LINUX environment
Network Network Transport Transport
Data Link Data Link Application Application
Physical Physical
Client and Server
Usually Internet services are built around in a Client/Server model
◦ Server that wish to offer services have to “listen”
on a certain port using socket for requests
◦ Client send request (follow server’s protocol) and initiate data exchange using a random port
This applies to Peer-2-Peer (P2P) hosts
◦ Hosts act as both client and server instead of one at a time
◦ All P2P-hosts “listen” on a certain port
The ports that these servers are listening on
are referred as an “open” port
Port Status
Generally, we can classify the status of a port into 3 types (using definition of Nmap)
◦Open – Active and accessible
◦Closed – Not active but it is still accessible
◦Filtered – Unknown
Usually we can use a network port scanner to gain knowledge of the status of a certain port
◦Network Mapper (Nmap) is a famous and popular tool that is freely available
Network scan can be legitimate or illegal
◦To detect and troubleshoot problem of network setup
◦To perform penetration check on firewall
◦It can also be used by malicious hacker as a preparation for attack
Firewall
An open port is susceptible to attacks
◦It is always accessible remotely
◦Anyone can connect to it (or try to)
A firewall can be used to protect the ports
Firewall is a network security measurement
◦It can protect the host by applying control to the traffic that flow through the network
◦Can be in the form of software or hardware
*Reference image taken from
http://www.linksysbycisco.com/static/us/Learning-Center/Network-Security/Protecting-Your- Individual-PC/Software-Firewall/
Firewall (cont)
Firewall can inspect network traffic
◦ Based on a certain rules, it will allow or drop network packets into/from a host
◦ Rules can be applied to both inbound and outbound network traffic
For server that listens to a port to provide a service, there is still a problem
◦ That port must remain open
◦ This create a network security risk
Although extra security policy could be apply to mitigate the risk
Network Attacks
By using tools like Nmap, malicious hacker can find some open ports to penetrate the system
Nmap can show the version of the server applications or services or even fingerprint the OS on the host
◦Some version of the services are
vulnerable to certain attack, e.g. SSH v1.2.31 CRC-32 (2001)
◦These attacks may allow the hacker to gain root (or admin) access,
compromise and create more holes in the system
Other examples
◦Buffer-overflow
◦TCP SYN-Flood
◦Ping-flood
Port Knocking
Port Knocking can be seen as a
security mechanism for concealing open ports
If we were to explain in analogy, port knocking will be comparable to the secret door knock in the old days
◦To get the door open, one have to knock the correct sequence
◦There might be another question asking for secret password after knocking correctly
Door = Port
Secret Knocks = Port Knock Sequence
Password = Authentication
◦e.g. From SSH
Port Knocking (cont)
Port Knocking works together with Firewall
◦Giving an extra layer of protection
◦It is not a replacement for authentication
Port Knocking does 3 things:
◦Concealment – all packets are dropped except those established connection
◦Service Protection – because all packets are dropped by default, it protects the services behind the ports
◦User Authentication – only trusted users who knows the secret knocks can open a port and connects to it
2 types of Port Knocking
◦ Vanilla version
◦ Single Packet Authorization (will be explained in next week)
Server Server
Port Knock Daemon
Port Knock Daemon
Mechanism of Port Knocking
SSHdSSHd
Application Application Application Application
2222
……
Client Client
Port Knock Client Port Knock
Client
SSH Client SSH Client
572 4 572
4
……
SYN: 5120 SYN: 128
SYN: 780
Mechanism of Port Knocking (cont)
Server Server
Port Knock Daemon
Port Knock Daemon
SSHSSH
Application Application Application Application
2222
……
Client Client
Port Knock Client Port Knock
Client
SSH Client SSH Client
……
572 6 572
6
SSH Req
Port Knocking Explained
Port-knock messages will be dropped by the firewall as usual
◦
But the daemon will take note of the knocks
Daemon will change firewall rule after receiving the correct knocks
◦
Temporary allow packets from the client to connect the actual port
◦
Once TCP connection is established, additional rules will be added to firewall to allow the entire TCP session
Daemon can be implemented in 2 ways:
◦
Tracing the firewall logs
◦
