SPKT: Secure Port Knock-Tunneling, an
Enhanced Port Security Authentication
Mechanism
Mehran Pourvahab1, Reza Ebrahimi Atani1, 2, Laleh Boroumand3
1
Department of Information Technology, University of Guilan, Rasht, Iran
2
Department of Computer Engineering, University of Guilan, P.O. Box 3756, Rasht, Iran
3
Department of Computer System and Technology, University of Malaya, 50603 Kuala Lumpur, MALAYSIA
mehran.pourvahab@iaul.ac.ir, rebrahimi@guilan.ac.ir, laleh.b127@gmail.com
Abstract In recent years, there has been an increasing interest
in the authentication process due to the key role that it has in the
network security. Port Knocking (PKn) is an authentication
method in which data transmits through the closed ports. This
method is prone to attacks when attackers sniff the network. This
paper proposes a new method which is called Secure Port
Knock-Tunneling to eliminate both DOS-Knocking and NAT-
Knocking attacks. The possibility of implementation of this
method is investigated on the Mikrotik devices.
Keywords: Port security; Port Knocking; Authentication; DOS-
knocking attack; Network Access Translation; Tunnelling.
I. INTRODUCTION
Nowadays, Network security protocols and policies are
essential elements in Internet security devices that provide
traffic filtering, integrity, confidentiality, and authentication
Recent developments in remote communication have
highlighted the need of a reliable authentication process.
However, providing secure connections, which are established
on public networks, is not simple at all. Leaving a port open to
the public is an invitation for an intruder. The safe network
should be inaccessible for an intruder, but any inaccessible
network is useless in that situation. Lots of services exist that
should be accessible for public while the others should be
useable by authenticated users. Unfortunately, most services
such as HTTP or SMTP need to be open for everyone to see.
Open port that is used by each service being considered as
a threat. Therefore, monitoring and controlling the port
accessibility can be a reliable assurance for having secure
connectivity. Port knocking is a method that can hide services
from attackers via transmitting data on the closed ports.
Hereinafter basic PKn and related attacks are explained.
A. Port-Knocking
In computer networking, port knocking is a method of
externally opening ports on a firewall by generating a
connection attempt on a set of pre-specified closed ports [4].
In other word, Port knocking is an authentication method that
is used for transmitting data on the closed port. Once a correct
sequence of connection attempts is received, the firewall rules
are dynamically modified to allow the host which sent the
connection attempts to connect over specific port(s). In fact,
client who wants to use services should start an authentication
process with sending non-reply packet to server [1].
Therefore, an attacker who is monitoring the network cannot
detect server. There is a monitoring system in the server-side
that stores the log of knocking process. When the
authentication pattern is completed then server opens a port
for the valid user and the trusted connection is established
between client and the server.
So far several port knocking schemes have been accused
of offering security through obscurity, since it is trivially
easy to detect and steal knocks in non-cryptographic systems
[8]. Although one should make a distinction between flawed
implementations which are only secure if the details of the
system are unknown, and the concept of port knocking as the
concept of port knocking is not fundamentally flawed. Since
revealing the presence of a service can only help an adversary
the notion of concealing services from unauthenticated users
is a potentially useful one.
There are some attacks that can affect PKn performance
which let a malicious user abuse the connection. Although,
PKn can make the authentication process safer than before, it
faces some situations, which make the network vulnerable.
DOS-Knocking and NAT-Knocking attacks are some of the
well known attacks on PKn mechanisms.
One of these situations happens when attackers send
random packets to the server repeatedly. Server should
allocate a buffer for remaining log of each client until PKn
complete. Therefore, DOS-Knocking leads to occupy the
significant amount of memory [2].
The other situation occurs when monitoring system cannot
distinguish trusted users from others. This scenario arises
when Network Address Translate (NAT) is used in the
network. As a result, all the users have the same address
outside the local network. Hence, when one user completes
the PKn process and gets permission for accessing to the
server, all the clients which are located behind the similar
NAT can use the service [3, 4].
 This paper presents a novel port knocking approach in
which PKn authentication process is divided into two phases.
First phase eliminates the DOS-Knocking while the second
part abolishes the NAT-Knocking problem. This new method
is known as SPKT: Secure Port Knock-Tunneling, which is an
enhanced port security authentication mechanism. To the best
of the authors knowledge, there are not enough studies in
PKn. Therefore, it can be a suitable field for researchers who
are working on the network security and want to use a new
method for combating attackers or anonymous users.
The rest of the paper is structured as below: in section II
some recent studies on the PKn are reviewed. The SPKT
technique is presented in section III and after that
implementation results of the method are investigated on
Mikrotik RB1100 router board and presented in section IV
and finally in section V the paper is concluded.
III. SECURE PORT KNOCK-TUNNELING
Secure Port Knock-Tunneling (SPKT) is the new method
which is presented in this paper. It is proposed to counter back
NAT-knocking and DOS-Knocking attacks and also it can
increase the protection of the authentication process.
SKPT has two phases for securing the authentication
mechanism, which are port knocking and tunneling. First
stage can solve the DOS-Knocking attack while the second
one removes the NAT-Knocking problem.
Figure1 illustrates a connection in which client want to
establish a connection to SSH server after passing the SPKT
authentication. Client starts the SPKT process as a port
knocker via sending a UDP packet to the server.

II. RELATED WORK

A recent study by D. Worth [1] has combined finger print
and port knocking for authentication method. Also a firewall
knock operator, which is a tool that can support both shared
(plain) and encrypted port sequence, was introduced. In 2005,
researchers explored the limitations of PKn and highlighted
the issues which can put the network in danger [6]. Between
2005 and 2010, most of the papers worked on the encryption
method for port sequence [2, 7].
The Silent Knock method is the result of the conducted
studies during that time. In this approach, AES block cipher
and MD4 hash function are applied to increase to increase the
security of proposed PKn but the simulation results shown
that Silent knock has a reasonable overhead [8].
In the last two years, there are some attempts to challenge
the original concept of port knocking. Al-Bahadili and H.Hadi
suggested the hybrid port knocking for acquiring security. In Figure 1. Secure Port Knock-Tunneling (SPKT)
their methods TCP packet had a payload that indicates the
The UDP packet contains Ethernet header, IP header, UDP
content of the service. This feature increases the capability of
header, data text passphrase and Ethernet trailer. This
system [9]. The other approach that offered secure
mechanism uses UDP because it does not require ACK from
authentication was presented by Liew et al., although this
server. Without responding packet, the network is less
method could not eliminate the NAT-Knocking attack; it
vulnerable as mentioned before. Besides, in the previous port
provided security through using IPSec and One Time
knock processes, when client sends a valid sequence,
Password (OTP) mechanisms. Furthermore, some studies are
connection establishment is done but in the SPKT it should
done for eliminating the weakness of SPA (single packet
send the legal sequence with valid text passphrase. Figure 2
authentication) [10].
shows the first phase of SKPT in details. After PKn step is
finished successfully, then firewall open one port for the client
Most of the methods that are mentioned above cannot
and triggers the VPN connection on it.
eliminate the two well know attacks: NAT-knocking and
As an example which is shown in figure 2, the PKn
DOS-Knocking. The proposed PKn mechanism in this paper:
sequence is completed after four knocks. In this example, the
SPKT, can achieve this goal and it is described in the next
source node with 123.123.123.123 IP address starts SPKT and
section.
send UDP packet on port 3456. Server checks the passphrase
because the port number is valid. Then if passphrase is similar
to sec-pass1, server buffers the information for 10 second in
the list that is called temprory1 in the example. Otherwise it
means the malicious user sends packet and server does not
allocate memory space for it and drops it. Therefore, DOS-
Knocking problem does not occur anymore. For next knock
besides checking the secret text server must check whether the
IP address exists in temporary list or not. This process
continues until information of four knocks store in the buffer.
The whole process should take only 40 seconds. If each
packet cannot arrive to server side before 10 seconds, buffer
will flush automatically and the process should be started once
again. But if the PKn process was successful then the second
phase will start.
Figure 2. Illustration of the port knocking phase of SPKT
IV. IMPLEMENTATION RESULTS
The possibility of Secure Port Knock-Tunneling
scheme is investigated on the Mikrotik devices. For
this a RouterBOARD 1100 (RB1100) [5], PowerPC
800MHz MPC8544/E PowerQUICC III network
processor is used. RB1100 is faster than any other
MikroTik product. The heart of this device is a new
state of the art powerPC networking processor which
In the tunneling part authenticated user who passes the
PKn process, should connect to the SSH server through
tunnel. Therefore, client must bypass the VPN authentication.
Each session will be open for 30 minutes then it will be closed
automatically. User who wants to use the channel for a long
time should send port sequence again before the threshold
time expires.
places this device right on top of MikroTik product
line. It has thirteen individual gigabit Ethernet ports,
two 5-port switch groups, and includes Ethernet
bypass capability. RB1100 also has a SODIMM
RAM slot for upgradable memory, two microSD card
slots, a beeper and a serial port. The RB1100 comes
in a 1U aluminum rackmount case. Power is now
more affordable than ever.[1] Use RB1100 as a
Backbone router or Firewall, It can handle up to # Knock Server Side Script
400,000 pps or 3.2Gbps full duplex. #
# dec/01/2011 00:25:10 by RouterOS 5.9
As explained in the last section the SPKT # software id = P09Z-NKBS
mechanism is applied in RB1100 as shown in Figure #
1 and 2. The scripts which are used for knocking in /ip firewall layer7-protocol
the client side and also server side are shown in add name=knock1 regexp="^sec_pass1\$"
Figure 3 and 4. add name=knock2 regexp="^sec_pass2\$"
As the scripts describe SPKT can easily counter add name=knock3 regexp="^sec_pass3\$"
back in the DOS-knocking and NAT-knocking add name=knock4 regexp="^sec_pass4\$"
attacks. /ip firewall address-list
#IP address list for Tunneling connection
# Clint Side Script / Port Knocker add address=192.168.215.10-192.168.215.20 \
# disabled=no list=Tunnel_Secured_Address
# Knock Server IP : 111.111.111.111 /ip firewall connection tracking
# set enabled=yes generic-timeout=10m \
UDPStartup() icmp-timeout=10s \
$socket = UDPOpen("111.111.111.11", 3456) tcp-close-timeout=10s \
$status = UDPSend($socket, "sec_pass1") tcp-close-wait-timeout=10s \
UDPCloseSocket($socket) tcp-established-timeout=1d \
$socket = UDPOpen("111.111.111.111", 4567) tcp-fin-wait-timeout=10s \
$status = UDPSend($socket, "sec_pass2") tcp-last-ack-timeout=10s \
UDPCloseSocket($socket) tcp-syn-received-timeout=5s \
$socket = UDPOpen("111.111.111.111", 5678) tcp-syn-sent-timeout=5s \
$status = UDPSend($socket, "sec_pass3") tcp-syncookie=no \
UDPCloseSocket($socket) tcp-time-wait-timeout=10s \
$socket = UDPOpen("111.111.111.111", 6789) udp-stream-timeout=3m udp-timeout=10s \
$status = UDPSend($socket, "sec_pass4") /ip firewall filter
UDPCloseSocket($socket) add action=add-src-to-address-list \
UDPShutdown() address-list=temporary1 \
Figure 3. Sample code performing the SPKT in the client Side. address-list-timeout=10s \
chain=input comment=\
"<<<----- Listen UDP:3456 ----->>>" \
V. CONCLUSIONS AND FUTURE WORK disabled=no dst-port=3456 \
The analysis of port knocking authentication layer7-protocol=knock1 protocol=udp
methods has revealed both some design flaws and add action=add-src-to-address-list \
implementation problems that could provide access address-list=temporary2 \
to unauthorized users. SPKT is the novel method address-list-timeout=10s \
presented in this paper that improves port knocking chain=input comment=\
authentication mechanism. It can easily remove the "<<<----- Listen UDP:4567 ----->>>" \
DOS-knocking and NAT-knocking attacks. disabled=no dst-port=4567 \
Therefore, the connection which is established based layer7-protocol=knock2 protocol=udp \
on the SPKT is more reliable than previous methods. src-address-list=temporary1
This method has a four knock scheme that should be
finished in the specific period otherwise the process
should start again. Working on the port sequence
selection suggested as a future work.
 add action=add-src-to-address-list \ REFERENCES
address-list=temporary3 \ [1] D. Worth, COK: Cryptographic one-time knocking, 2004,
address-list-timeout=10s \ Talk slides, Black Hat USA, pp. 19-25.
chain=input comment=\ [2] A. I. Manzanares, J. T. Marquez, J. M. Estevez-Tapiador, J.
"<<<----- Listen UDP:5678 ----->>>" \ Cesar Hernandez Castro, Attacks on port knocking
authentication mechanism,, Computational Science and Its
disabled=no dst-port=5678 \ Application, ICCSA 2005, pp. 1292-1300.
layer7-protocol=knock3 protocol=udp \ [3] T. Popeea, V. Olteanu, L. Gheorghe, R. Rughinis, Extension
src-address-list=temporary2 of a port knocking client-server architecture with NTP
add action=add-src-to-address-list \ synchronization, 10th Roedunet International Conference
(RoEduNet), 2011, pp. 1 - 5.
address-list=Secured_Address \
[4] S. Jeanquier, An Analysis of Port Knocking and Single
address-list-timeout=30m \ Packet, MSc Thesis, Information Security Group, Royal
chain=input comment=\ Holloway College, University of London, 2006.
"<<<----- Listen UDP:6789 ----->>>" \ [5] http://routerboard.com/RB1100
disabled=no dst-port=6789 \ [6] R. DeGraaf, J. Aycock, M.J. Jacobson, Improved Port
layer7-protocol=knock4 protocol=udp \ Knocking with Strong Authentication, 21st Annual
src-address-list=temporary3 Computer Security Applications Conference, 2005, pp. 451-
462.
[7] P. Iyappan, K. S. Arvind, N. Geetha, S. Vanitha, Pluggable
add action=accept chain=input \ Encryption Algorithm In Secure Shell (SSH) Protocol,
comment="Input Accept \ Second International Conference on Emerging Trends in
>>> Secured_Address" \ Engineering Tecknology, 2009, pp. 808-813.
disabled=no protocol=gre \ [8] E. Y. Vasserman, N. Hopper, J. Laxson, J. Tyra,
SilentKnock: practical, provably undetectable
src-address-list=Secured_Address authentication, , International Journal of Information
Security, Vol. 8, No. 1, February 2009, pp. 121-135.
add action=drop chain=input \ [9] H. Al-Bahadili, A.H. Hadi, Network Security Using Hybrid
comment="Input Tunnel Drop <> All IPs" \ Port Knocking, International Journal of Computer Science
disabled=no protocol=gre \ and Network Security (IJCSNS),Vol. 10, No.8, 2010, pp. 8-
12.
src-address-list=Secured_Address
[10] J.H. Liew, S. Lee, I. Ong, H.J. Lee, H. Lim, One-Time
Knocking framework using SPA and IPsec, 2nd
add action=accept chain=input comment=\ International Education Technology and Computer, 2010, pp.
"Input Tunnel Accept>>> \ 209-213.
Tunnel_Secured_Address" \
disabled=no dst-port=22 protocol=tcp \
src-address-list=Tunnel_Secured_Address

add action=drop chain=input comment=\

"Input Tunnel Drop <> \
Tunnel_Secured_Address" \
disabled=no dst-port=22 protocol=tcp \
src-address-list=Tunnel_Secured_Address
Figure 4. Sample code to perform the SPKT in the Server Side.