Scribd Logo
Upload

Welcome to Scribd!

  • Port Knocking

    Uploaded by

    Oktet
    161 views10 pages
    A method is needed to monitor the firewall log file and extract the sequence of ports from the log file into usable information. Port Knocking is a method of probing a computer to see what ports are open. When a properly formatted knock sequence is received, firewall rules are manipulated based on the information content of the sequence.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    A method is needed to monitor the firewall log file and extract the sequence of ports from the log file into usable information. Port Knocking is a method of probing a computer to see what ports are open. When a properly formatted knock sequence is received, firewall rules are manipulated based on the information content of the sequence.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    161 views10 pages

    Port Knocking

    Uploaded by

    Oktet
    A method is needed to monitor the firewall log file and extract the sequence of ports from the log file into usable information. Port Knocking is a method of probing a computer to see what ports are open. When a properly formatted knock sequence is received, firewall rules are manipulated based on the information content of the sequence.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Port Knocking

    Jennifer C. Hou
    Department of Computer Science
    University of Illinois at Urbana
    Champagin
    Port scanning
     A method of probing a computer to see
    what ports are open.
     A brute force operation
     One simply tries to establish a connection to
    each and every port on the target
    computer.
     When a connection is established, the caller
    makes note of the port number and
    continues on.
     The caller can then examine these ports
    later to see if any known security holes
    Port Knocking
     As long as ports remain open, network applications are
    susceptible to attack  ports are initially closed.
     A handful of ports are configured to deny all traffic – no
    ICMP error packets are sent back to the connecting
    client.
     Users make connection attempts to sequence of closed
    ports. All failed connection attempts are logged by the
    server-side packet filtering firewall and detected by a
    daemon that monitors the firewall log file.
     When a properly formatted knock sequence is received,
    firewall rules are manipulated based on the information
    content of the sequence.
    Example
     Ports 100-109 are configured to deny all traffic.
     ipchains -A input -p tcp -s 0/0 -d IPF/32 100:109 -j
    DENY -l
     A user attempts to connect from IPC to the following firewall
    ports in sequence: 102,100,100,103.
     From the point of view of the user, the connections fail silently.
     On the firewall, the 102,100,100,103 number sequence has
    been recorded.
     Feb 12 00:13:26 ... input DENY eth1 PROTO=6 IPC:64137 IPF:102 ...
     Feb 12 00:13:27 ... input DENY eth1 PROTO=6 IPC:64138 IPF:100 ...
     Feb 12 00:13:27 ... input DENY eth1 PROTO=6 IPC:64139 IPF:100 ...
     Feb 12 00:13:28 ... input DENY eth1 PROTO=6 IPC:64140 IPF:103 ...
     The knock sequence appears in the firewall log.
    Implementation
     A method is needed to monitor the
    firewall log file.
     A method is required to extract the
    sequence of ports from the log file and
    translate them into usable information.
     How to detect a port sequence begins and
    ends.
     How to correctly detect a port sequence in
    the presence of spurious connection
    attempts that are not part of the sequence.
    Example of
    Implementation
     Ports 100-109 are used to listen to knocks.
     The port sequence is expected to be of the form:
    102,100,110 10a,10b,10c,10d 10(a+b+c+d mod 10)
    110,100,102
    header payload checksum
    footer
     The first and last three ports let the port knocking dæmon
    know that a sequence is starting and ending.
     The next four ports encode the port (abcd) to be opened.
     For example, if a connection to port 143 is required, the sequence
    would be 100,101,104,103.
     The final element in the sequence is a checksum that validates
    the sequence payload.
     In this example, the checksum is 8 (1+4+3 mod 10).
     The full sequence would be 102,100,103 100,101,104,103
    108 103,100,102.
    Example of
    Implementation
     When this sequence is detected, port 143 would be
    made available to the incoming IP address.
     If the port is open already, the knock would rendered it
    closed.
     The knock can be extended to include additional
    information, such as an anticipated session length, that
    can be used to close the port after a set amount of
    time.
    Mapping with Encryption
     The information contained in the knock
    sequence can be encrypted to provide an
    additional measure of security.
     Example:
     256 ports are allocated and logged.
     A knock map of the form
    remote IP port time checksum
    is used where the remote IP, port, time and
    checksum (sum of other fields mod 255) are
    encrypted.
     The encrypted string can be mapped onto eight
    unsigned chars using, for example, Perl's
    pack("C*",STRING) command.
    Benefits
     Port knocking provides a stealthy method of
    authentication and information transfer to a
    host that has no open ports.
     It is not possible to determine successfully
    whether the machine is listening for knock
    sequences.
     It is unlikely that the form of connection
    attempts would be detected by monitoring
    traffic.
     A sequence can corresponds to a request that
    a port be opened for a specific length of time
    and then closed.
    Disadvantages
     Performance penality: use of port
    knocking imposes an overhead for each
    connection.
     A number of ports have to be allocated
    for exclusive use by port knocking.
     In the case that no ports are initially
    open, if the listening daemon fails or is
    not able to interpret the knocks
    correctly, it becomes impossible to
    conect remotely to the host.

    You might also like