June 12, 2005
June 12, 2005
June 15, 2005
10.309.1 - 10.309.8
Closed Port Authentication with Port Knocking
Phil Lunsford, Evan C. Wright
East Carolina University, Greenville, NC
Port knocking is a promising new technology to further secure remote services. This technology can be used to keep all TCP ports closed until a user has authenticated with a port knock sequence. During the port knock sequence all ports remain closed, thus rendering the server invisible to any malicious port scans. After a valid knock sequence has been verified by the system, a predetermined TCP or UDP port is opened allowing for a standard connection for a predefined service. This allows an extra layer of authentication at the transport layer without requiring changes to the application. A review of the current implementations is given.
The addressing scheme for the TCP/IPv4 protocol allows for a unique 32-bit IP address for each computer. In addition to an IP address for a computer, 16-bit port numbers are used to establish logical connections for transmission of data. For a given packet being transmitted from a source to a destination, there is a total of two IP addresses, source and destination, and also two ports, source and destination. Most applications transmit data based on a client/server architecture. One machine is the server and the other is the client. When the client requests data from a server, the destination port number used in the requesting packet determines the service. For example, for a web browser running on a client computer to access a web page, a datagram with the destination of port 80 is sent to the server. The association of well known services to port numbers is maintained by IANA1. Each of the well known ports can be though of as a door, behind which a certain service resides. The two IP addresses and the two port numbers all together identify a socket, or an end-to-end logical communication link between two devices.
TCP sockets are established with a 3-way handshake as shown in figure 1. The client initiates the connection with a synchronize (SYN) packet. The server responds with a SYN-ACK packet that requests synchronization with the client, and also acknowledges (ACK) the initial SYN packet. The final part of the handshake is an ACK packet that the client sends to the server. This handshake provides a robust method to establish a socket but also allows anonymous information gathering. Programs such as NMAP2 send SYN packets and other packet types that normally initiate some sort of reply. These replies are analyzed to answer questions such as “Is the IP address valid with a device that is powered on?”, “What services are offered on the machine?”, and even “What operation system is running?”. This information can be gathered automatically and can be used to plan a malicious attack or may automatically be used by malware to launch attempts at compromising identified machines. Server ports can be kept
Proceedings of the 2005 American Society for Engineering Education Annual Conference & Exposition Copyright © 2005, American Society for Engineering Education
Lunsford, P., & Wright, E. (2005, June), Closed Port Authentication With Port Knocking Paper presented at 2005 Annual Conference, Portland, Oregon. https://peer.asee.org/14788
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2005 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015