Posted: 2010-03-21 12:04:11 UTC+01.

I have previously written why port knocking suck, but some people still believe it is brilliant. The basic idea is that instead of exposing a service, say ssh, to everyone on the net, you first have to "knock" by sending a packet or a sequence of packets to a secret port or ports. This sounds good, giving you stealth against these brute force attacks on ssh. But think again!

Port knocking may easily be defeated

If you have to knock a single time on the secret port you might just have no added security at all, could be that the port scanner first knocked on the secret port then on the ssh port.

If you have to knock multiple times on the secret port, same thing, usually when you scan for open ports, multiple packets are sent in case of packet loss. You can't use timing between packets because these may change on the path. Yet you do need to implement timeouts to avoid a halfway knocked sequence.

If you have to knock various ports, you can't rely on packets arriving in a particular sequence. And even if you did, the port scanner might just get that order right. If your secret is, say, to knock port 1234 and then port 2345, nmap might do just that when scanning ports 0-10000. And if the secret is the reverse order, again, nmap might just do that because multiple packets are sent to each port.

It's not enough to check for the right sequence

If you require more than a single knock you have to monitor also for wrong knocks or a simple nmap scan may be just sufficient to expose your server as in the example above. This makes it very difficult to monitor and correctly open for access, you need to be able to distinguish random port scans, failed port knocking attempts and succesful ones.

Very quickly you will find alerts of what appears to be brute force port knocking, or maybe just random scans, that demands a response (or do they?). If your knee jerk reaction is to block automatically, then you expose yourself to a potential denial of service attack.

Port knocking does not add security

A port knock or port knock sequence is a shared password that cannot be encrypted. Since there is no previous user identification the knocking is the same for all users. It's not encrypted because the secret is in the port number you knock. This is possibly the worst kind of secret you can manage.

If you find yourself thinking you need port knocking, then your passwords are not strong enough. It is far better to use longer and more complex passwords: They are individual for each user and encrypted.

Port knocking adds complexity

Port knocking adds complexity to your server, meaning more things can go wrong, and adding yet another attack vector for the intruder. Having a script to automatically update a live rule set is a recipe for disaster.

It's impractical and user unfriendly

The more ports you have to knock the higher the probability that some packets will be filtered when you're behind somebody else's firewall. You can be most certain that you can't convince the admin of some corporate network to open up for your port knocking.

Because of the build in stealth you have no way of knowing if packets are dropped or filtered. And the user will have to accept a delay for your port knocking script to update the rules.

You add complexity for the user at no benefit for security.

Conclusion

Port knocking suck at security: It does not solve a single existing problem but introduces a slew of other problems.