Monday, February 5, 2018

Port Knocking 101

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, firewall rules are dynamically modified to allow the host to connect over specific port.

The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services.

The port “knock” itself is similar to a secret handshake and can consist of any number of TCP/UDP or even sometimes ICMP and other protocol packets to numbered ports on the destination machine. The complexity of the knock can be anything from a simple ordered list to a complex time-dependent, source-IP-based and other-factor-based encrypted hash.

Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a three-knock TCP sequence (e.g. port 1000, 2000, 3000) would require an attacker to test every three port combination in the 1–65535 range and then scan each port between attacks to uncover any changes in port access on the target system.

Since port knocking by definition is state-ful, the requested port would not open until the correct three-port number sequence had been received in the correct order and without receiving any other intervening packets from the source. This technique, in combination with knock attempt-limiting, longer or more complex sequences and cryptographic hashes, makes successful port access attempts extremely difficult.

To be continued..


  1. Replies
    1. You are welcome! I will try to add more stuff later (To be continued..) Make sure to share the article ;-)