Closed Port Authentication with Port Knocking Phil Lunsford, Evan C. Wright East Carolina University, Greenville, NC Abstract Port knocking is a promising new technology to further secure remote services. This technology can be used to keep all TCP ports closed until a user has authenticated with a port knock sequence. During the port knock sequence all ports remain closed, thus rendering the server invisible to any malicious port scans. After a valid knock sequence has been verified by the system, a predetermined TCP or UDP port is opened allowing for a standard connection for a predefined service. This allows an extra layer of authentication at the transport layer without requiring changes to the application. A review of the current implementations is given. Introduction The addressing scheme for the TCP/IPv4 protocol allows for a unique 32-bit IP address for each computer. In addition to an IP address for a computer, 16-bit port numbers are used to establish logical connections for transmission of data. For a given packet being transmitted from a source to a destination, there is a total of two IP addresses, source and destination, and also two ports, source and destination. Most applications transmit data based on a client/server architecture. One machine is the server and the other is the client. When the client requests data from a server, the destination port number used in the requesting packet determines the service. For example, for a web browser running on a client computer to access a web page, a datagram with the destination of port 80 is sent to the server. The association of well known services to port numbers is maintained by IANA1. Each of the well known ports can be though of as a door, behind which a certain service resides. The two IP addresses and the two port numbers all together identify a socket, or an end-to-end logical communication link between two devices. TCP sockets are established with a 3-way handshake as shown in figure 1. The client initiates the connection with a synchronize (SYN) packet. The server responds with a SYN-ACK packet that requests synchronization with the client, and also acknowledges (ACK) the initial SYN packet. The final part of the handshake is an ACK packet that the client sends to the server. This handshake provides a robust method to establish a socket but also allows anonymous information gathering. Programs such as NMAP2 send SYN packets and other packet types that normally initiate some sort of reply. These replies are analyzed to answer questions such as “Is the IP address valid with a device that is powered on?”, “What services are offered on the machine?”, and even “What operation system is running?”. This information can be gathered Page 10.309.1 Page automatically and can be used to plan a malicious attack or may automatically be used by malware to launch attempts at compromising identified machines. Server ports can be kept Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education closed allowing responses denying a connection, or they can be configured to drop incoming packets, effectively not responding to any packet, often referred to as “stealth” mode. A server with all ports in stealth mode is invisible to malicious scans, but of course is not normally able to offer any services. Unfortunately, many operation system configuration defaults are set to have ports open. For instance in Microsoft Windows, the file sharing port is open by default. Network devices such as routers also often have ports open by default, aiding in the simplicity of creating a working configuration, but at the detriment of security. Computer S Server YN - in itial req uest fro to m Clie Server nt se from respon -ACK t SYN to clien server ACK respon se from client server to Figure 1. TCP Three-way Handshake Port knocking is a technique suggested as early as February 20033 and has been well documented online by Krzywinski 4,5. This technique adds another layer of authentication and helps reduce the information available from malicious scans. A basic implementation of port knocking is shown in figure 2. All ports are initially in stealth mode. For a client to obtain a service, it first must send a predefined sequence of SYN or other predefined type packets to the server. The port numbers used and the order and time period that they are received determine if the knock sequence is valid. Sequences of packets that are received in the wrong order or contain the wrong port numbers will not be recognized as a valid knock sequence. Sequences that are not received within a predefined time interval will not be recognized. When a valid sequence is received, a predetermined port is opened and the client can then initiate a socket for that service. Since the knock sequence contains the source IP address (the IP address of the client), the server Page 10.309.2 has the information available to open the port exclusively for only the knocking client. This technique allows for the server to normally remain in stealth mode, but still allow for trusted connections, effectively adding a layer of authentication to the system. Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education First Computer SYN - Knock: Server first req uest fro m Clie Server nt to No response from server Se cond K SYN - nock: reques S t from erver - Client differe to nt port No response from server Last Kn SYN - ock: reques S t from erver Client - differe to nt port No response from server, but configuration on server changed to open predefined port to client SYN - reques t from Server Client to ope to n port se from respon -ACK t SYN to clien server ACK respon se from client server to Figure 2. Port Knock sequence followed by socket establishment with TCP Three-way Handshake Page 10.309.3 Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education No. Ti me Source Desti nati on Prot ocol Info 1 0. 000000 192. 168. 1. 14 192. 168. 1. 3 TCP 32904 > 10000 [SYN] No. Ti me Source Desti nati on Prot ocol Info 2 0. 000088 192. 168. 1. 14 192. 168. 1. 3 TCP 32905 > 11000 [SYN] No. Ti me Source Desti nati on Prot ocol Info 3 0. 000213 192. 168. 1. 14 192. 168. 1. 3 TCP 32906 > 12000 [SYN] No. Ti me Source Desti nati on Prot ocol Info 4 0. 000272 192. 168. 1. 14 192. 168. 1. 3 TCP 32907 > 11000 [SYN] No. Ti me Source Desti nati on Prot ocol Info 5 0. 000372 192. 168. 1. 14 192. 168. 1. 3 TCP 32908 > 10000 [SYN] Figure 3. Output from Ethereal Showing Port Knock Sequence. The major flaw in basic port knocking is its susceptibility to a replay attack. This is attack consists of monitoring the server traffic, then resending that data from a malicious client at a later time. Since port knocks consist of a unicast port-opening attempt from one host to another, all of the information is readily available if the network traffic can be monitored. Figure 3 shows the output from Ethereal6 network protocol analyzer program from a capture during a port knock sequence. This clearly shows the port knock sequence to be 10000, 11000, 12000, 11000, 10000 and illustrates the vulnerability when the traffic to the server can be monitored. This illustrates a major obvious flaw in simple port knocking. It is vulnerable to replay attacks if the server is on the same LAN, or if the malicious user has administrator access to a computer or other network device that is connected to the LAN. Implementations Various implementations are available but most are for Linux/UNIX systems only. Programming languages used include C, C++, Perl, Java, BASH, and Python. Implementations and variations are being released very quickly. For a current summary of port knocking implementations, see Martin Krzywinski’s web site www.portknocking.org. Released by Vinet7, the knockd daemon implementation for Linux/Unix systems provides a simple, easily configurable, port knocking scheme. This implementation, as most, relies on the iptables kernel function for packet filtering. Thus a software firewall is already implement on the system. A log of the connection attempts is monitored by the knockd daemon and the firewall rules are automatically changed when a valid knock sequence is detected. The knock sequence is defined in a file named knockd.conf located in the directory of compilation or in the /etc directory. This implementation currently suffers from the vulnerability to replay attacks. For basic implementations like knockd, we recommend a fairly long knock sequence of 20 or more knocks. Furthermore, the sequence should contain repeated ports multiple times. This will strengthen the resistance to a port scanning program accidentally opening a port with a valid knock sequence. Strictly speaking, port knocking in its simplest form cannot be encrypted. The ports are contained within the TCP header which remains in clear-text form. Variations to port knocking 10.309.4 Page have been developed that move the authentication token from a sequence of knocks to a UDP Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education packet payload. Some authors do not consider this true port knocking since there is no knock sequence, but the idea of keeping ports closed and selectively opening them only under certain conditions triggered by incoming packets is common to both methods.