• Home
• Protector
• Portable Penetrator
• Cloud Penetrator
• Penetrator
• Partners

You are here: Encyclopedia > Encyclopedia Part 3 > What is Port Knocking?

What is Port Knocking?

Port Knocking is a form of host-to-host communication in which information flows across closed ports.  In this method, ports are opened externally on a firewall by generating a connection attempt on a set of prespecified closed ports.  In general, data is transmitted to closed ports and received by a monitoring daemon which intercepts the information without sending a receipt to the sender.

In one instance, port knocking refers to a method of communication between two computers (For example named here General and  Main ) in which information is encoded, into a sequence of port numbers. This sequence is termed the knock. Initially, the main presents no open ports to the public and is monitoring all connection attempts. The General initiates connection attempts to the server by sending SYN packets to the ports specified in the knock. This process of knocking is what gives port knocking its name. The server offers no response to the client during the knocking phase, as it "silently" processes the port sequence. When the server decodes a valid knock it triggers a server-side process.

The definition of a valid knock varies and according to the implementation. The main-side process also varies and according to the implementation. The trigger may result in dynamic modification of firewall rules or other administrative system events. Encoding and encrypting information into a series of ports and sending information using SYN packets is one of the simplest forms of port knocking.

Most PortKnocks are stateful systems in that if the first part of the "knock" has been received successfully, an incorrect second part would not allow the remote user to continue and, indeed, would give the remote user no clue as to how far through the sequence they failed. Usually the only indication of failure is that, at the end of the knock sequence, the port expected to be open is not opened. No packets are sent to the remote user at any time.
 

It can also be performed by a process examining packets at a higher level (e.g. using PCAP), allowing the use of already "open" TCP ports to be used within the knock sequence.

The basic purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed

This technique for a secured access to remote network daemons has not been widely adopted by the security community, In the meanwhile. it has been integrated in newer Rootkits.

If for some reason or other the port knocking daemon dies, you are left with a system you cannot connect with. This is also known as a single point of failure. However, to help mitigate this problem, modern port knocking implementations include a process monitoring daemon that will restart the port knocking daemon if it dies.