[ieee 2012 international conference on cyber security, cyber warfare and digital forensic (cybersec)...
TRANSCRIPT
Simple Port Knocking Method Against TCP Replay Attack and Port Scanning
Fakariah Hani Mohd Ali
Faculty of Computer and Mathematical Sciences
Universiti Teknologi MARA
Shah Alam, Malaysia
Rozita Yunos
Faculty of Computer and Mathematical Sciences
Universiti Teknologi MARA
Shah Alam, Malaysia
Mohd Azuan Mohamad Alias
Faculty of Computer and Mathematical Sciences
Universiti Teknologi MARA
Shah Alam, Malaysia
Abstract— Port knocking is a first technique introduces to
prevent attackers from discovering and exploiting potentially
vulnerable service on a network host, while allowing
authenticated users to access these services. Despite being
potentially useful tool, it suffers various vulnerabilities such as
TCP replay, port scanning and etc. This project proposes a new
approach over the existing Port Knocking by employing the
Source Port sequences that will simplify a technique for port
knocking system. Source port is automatically generated by
operating system and is pre-assigned to generate a sequence. A
technique to control when certain service start and stop was
introduced to mitigate problem with TCP replay attack and port
scanning. The performance of the proposed method was
evaluated by measuring the authentication time to knock the
server. As a result, the proposed method worked faster than
other methods like basic port knocking and Fwknop + SPA. This
has shown that the proposed method was simple and at the same
time against the TCP replay attack and port scanning.
Port Knocking; Source port sequences; TCP Replay Attack;
Port Scanning
I. INTRODUCTION
Port knocking is a method developed by [1] to bypass a security measure used by a firewall to establish a connection between servers. This method will form a communication between a host to a host across a closed port environment. Originally, port knocking primary aim is to provide an extra layer of security by providing authentication with the additional benefit of concealment. However, port knocking itself suffers from several vulnerabilities like TCP replay attack, Port Scan, security obscurity and packet delivery out of order due to network latency [2].
An attacker uses the port scan technique to sniff on promiscuous mode and observe a knocking sequence attempt by authorized users [2]. Once a true sequence is complete, they will use a TCP replay attack to knock on a server, but the server does not know whether it is a genuine user. In addition, port knocking server cannot limit how much connection will come from a user to the server concurrently. This issue has
been discussed widely for further improvements of port knocking. [3, 4] has proposed to use port knocking with Single Packet Authorization (SPA). SPA could fill the void on port knocking by sending an authentication packet to the server before the connection is established.
[5] introduced the idea to use port knocking with a hybrid of cryptography, steganography and mutual authentication. This technique is good to prevent port scan and TCP replay attack due to the use of steganography, the attacker cannot determine which actual packet to port knocking. [6] introduced One Time Knocking Framework using SPA and Internet Protocol Security (IPSec) for port knocking. This system added another layer to generate a port knocking password. A password will be generated by its Random Number Generator (RNG) server, thus sent to the client using the GSM line and synchronize a same password with the firewall server. A similar concept with this framework was proposed in [7] with the Advance Port Knocking Authentication Scheme with QRC using AES. The proposed method uses the same authentication technique by using a password generated by the server. However, they enhance the method with Quadratic Residue Cipher (QRC) to spoof the source IP address. This will prevent attackers from gathering information.
This project proposes an approach to simplify the port knocking method without adding any servers or appliances and that can against from the TCP replay attack and port scanning. It focuses on how to improve port knocking as well as the authentication on port knocking. A common problem on port knocking such as TCP replay attack and port scanning are addressed carefully to reduce its threat towards the proposed project. Consequently, the proposed design will avoid any integration with the firewall, in order to ease the integration with the existing architecture.
This project uses SSH as the service used on the port knocking project. It compares the Basic port knocking and Fwknop + SPA that were developed by [1,2] respectively. The comparison covers on port scanning, packet capture and the performance to complete knock sequence.
II. RELATED WORK
Table I summarizes others port knocking method that are related to this project. Comparison of others port knocking projects.
TABLE I. COMPARISON OF OTHERS’ PORT KNOCKING PROJECTS
Project Title Contribution Strength Weakness
Basic Port
Knocking [1]
Introduce port
knocking
system
Make use of
firewall rules to
open or close a port
Replay packet,
scanning, packet
delivery running out of order.
Advanced
Port Knocking
Suite [8]
Uses DES in
packet sequence
Usage of
encryption with
knocking packet
Might be slow as
the packet needs
to be encrypted and decrypted.
Barricade [9] Applies ICMP
echo request as the knocking
packet.
Simple
implemen-tation
ICMP packet
containing password might
be sniffed.
Cryptknock
[10]
Encrypt the
knocking string that is used by
the packet.
Difficult to
replay a knocking packet
by sniffing with TCP dump.
Data is read by
Lipcpap where it configures under
the monitoring state.
Doorman [11] Introduces
single UDP
packet for knocking.
Uses MD5 hash
with UDP
packet.
MD5 hash table
might be cracked
by the Rainbow table.
Knockd [12] Combine TCP
and UDP for knocking
packet
Capable to use
both TCP and UDP packet.
Same
implementation with basic port
knocking.
Sig2Knock
[13]
Randomize the
port sequence
Overcomes
issue of port scanning
Difficult to be
implemented
Pasmal [14] Uses encrypted
ion packet for TCP and ICMP.
Can use both
ICMP and TCP packet.
Usage of
encryption may slow down the
performance.
Portkey [15] Uses TCP port
from range 1 to 65535.
Can use many
TCP ports available for
knocking
sequence.
Similar to basic
port knocking. Only supports IP
table based
firewall.
Cryptography
of Knocking
(COK) [16]
Implements
port knocking
with cryptography.
More secured
than basic port
knocking by adding
cryptography.
Only capable to
be implemented
with IP tables based firewall
Cerberus by Dana Epp [17]
Usage of ICMP packet to the
knocking
server.
Applies special ICMP ping
packet
Only capable to be implemented
with IP table
based firewall.
Port Knocking with Single
Packet
Authorization [3][4]
Introduce single packet as an
authentication
mechanism
Packet used for authentication
will be
encrypted. Difficult to be
replayed.
Packet delivery running out of
order is not
discussed in this project.
One Time
Knocking
Framework using SPA
and IP Sec [7]
Enhanced use
of SPA by tying
together with IP Sec
Knocking
password is only
sent to smartphone
users by the
RNG server.
Integration IPsec
with firewall
rules that requires a lot of
modification.
A complex system that is
difficult to be
implemented
Network
Security
Using Hybrid
Port Knocking
[5]
Combination
between
cryptography,
steganography
and mutual authentication
Difficult to
replay the
packet.
Increases the
overhead on
packet size due to
the usage of
steganography and
cryptography.
Advanced Port Knocking
Authentication
Scheme with QRC using
AES [7]
The QRC will spoof the IP
address
Port scans are difficult to be
done. An IP
address is difficult to be
replicated.
The complexity of its design may
result in the
performance issue.
The design of this project includes: (a) The use of the source port sequence to replace the destination port sequence; (b) No firewall intervention thus no such need to modify firewall rules; (c) Service request e.g.: SSH is not started by default, it only starts once valid sequences are received; (d) Ease of configuration; (e) Independent operating system; (f) The server daemon will reject accessing the client when the third knocking attempt fails.
III. THE NEW PORT KNOCKING METHOD
There are 3 main steps in this project. First, is the client will make an attempt to establish a connection to the server. The second step is to find an authentication mechanism on the server to determine a valid client, start a service and notify the client that a service has been executed. The last step is to allow the client to access the server to predefine a port number to use the service. The proposed design is showed by Figure 1.
CLIENT FIREWALL RPK SERVER
Client attempt connection to
server to start SSH, with
Source Port Seq. &
Destination Port 5001
Firewall ACCEPT packet
since port 5001 is open
Firewall pass packet to
server Server validate Source Portt
from used by client. If yes
ACCEPT if no DROP
Client start SSH service &
establish connection with
different Destination Port
Figure 1. Sequence diagram for the proposed method
Step 1 is when the client attempts to make a connection to the server to use certain services. In this study, SSH service is used. Normally, the SSH port will remain closed but the service for SSH has already started. In this design, the SSH service is set not to start and port number for SSH is predefined by the different port numbers. In this case, the client will send a packet containing detailed information to the server. Information that is passed from the client to the server is a source port sequence, i.e. port 55200, 4550, 1220 and 6779 and the destination port is pre-assigned by the server that only
listens on specific port attempts from the port knocking client, i.e. port 5001. Normally, these ports are left open by a firewall.
The source port sequence from the client will be used as an authentication method to validate its client. The source port sequence from the client is also pre assigned by the server, thus only a valid user knows the source port ranges to be used. Firewalls only filter remote TCP port or UDP port, but they do not filter what is the source port being used. Detailed explanations of the source and destination port shall be discussed in the next section.
In Step 2, when a server receives a packet from the client, it will validate the packet. Only a valid client knows what is the source port sequence should be used to establish a connection between the server and the client. On the other side, the server will monitor any connections attempt from the client. A simple logic programming is used either to accept or drop a connection whenever it matches the rules. Once a server receives a valid Source port sequence, it will start the SSH service and notify the client by sending an execute message. Otherwise, it will drop the connection and the SSH service is not started.
In the final step, the client connects again to the server with the predefined SSH port, thus establishing a connection from the client to the server. In this study, SSH is pre-configured to use port 8080 instead of default port 22. In future, this port will be configured to use other TCP ports when necessary.
Figure 2 resembles a sequence diagram for basic port knocking that differentiates between the proposed project with the basic port knocking project [1]. It also shows the process taken for basic ports knocking as compared to some propose projects. The firewall needs to identify the incoming packet which needs to be dropped or accepted. As compared with the proposed project, the flow process shortens due to the fact that the packet from the client goes directly to the server.
CLIENT FIREWALL SERVER
Client attempt connection to
server to start SSH Firewall is block port 22 for SSH.
DROP packet
Client attempt connection to server
with pre determine port sequence
to start SSH. i.e port 100, 200, 300Packet Capture on Firewall
identifies knocking packet
Firewall pass sequence
packet to server
Server will validate knocking
sequence
Request firewall to open port 22
Firewall open port 22
Client start SSH service &
establish connection
Figure 2. Sequence diagram of basic port knocking
A. Head To Head Comparisons for Flow Process
Each port knocking project has its own flow process to operate. Basically, the process starts from the minute the client
sends a knocking sequence to the server until the server validates and the client is able to access the requested services. Figure 3 shows the comparisons of both projects.
Basic port knocking requires more steps in order to bypass a packet from the client to the server and before authenticating the client to use the requested service. In contrast with the proposed method, a client only requires 3 steps before authenticating the client to use the service. In addition, SSH service on the server is not started until a valid user knocking is sent to the server. It is designed in such a way to enhance security features and to add difficulties for those who repeatedly strike attacks toward servers. If somebody succeeds to send the packet from the client to the server, they do not have any idea when a service is requested and started. As compared to basic port knocking, the SSH service is already started.
START
Packet from Client
with Knocking
sequence 100, 200
& 300
Firewall identifies
knocking packet
NO
YES
DROP packet ACCEPT packet
Server verify
knocking packet
DROP
ACCEPT & request
firewall to open port
22 temporary
NO
YES
Firewall open port
22
Client connect to
server with port 22
END
BASIC PORT KNOCKING
START
Packet from Client
with source port seq
55200, 4550, 1220
& 6779. Destination
port 5001
Server verify
knocking packet
DROP ACCEPT & start
SSH service
NO
YES
Client connect to
server with
predefine SSH port
number
END
PROPOSED PORT
KNOCKING METHOD
Figure 3. Comparison chart of process flow for basic port knocking and proposed design
As shown in Figure 3, basic port knocking requires more process before the client could access to the server. In addition, it requires the process of integrating with the firewall before the client could access the server and use certain services. As compared to the proposed design, the packet from the client to the server directly hops to the server if there is any open port in the firewall. From the diagram, basic port knocking uses the destination port sequence as identification to the knocking
server. In the proposed design, the source port sequence is used to identify the client to the server. It could transform a packet from the client to the server to look like a normal packet as compared to basic port knocking.
B. Implementation of Proposed Model
In order to implement the proposed method in real
environment, this study has proposed an architecture that is
shown in Figure 4.
User FirewallPort Knocing
Server
Application
Server
Figure 4. Proposed port knocking method integrates with application server
at data centre
The proposed port knocking method is recommended to be located in front of the other application servers. The port knocking server could be the main point for the client to access the data centre by using SSH before hopping into another server for further administrative task. This design has been proposed in this way in order to minimize risks by running the application server with the proposed program.
However, if end users chose not to add any server on the current infrastructure, they would only run the proposed program directly on the application server. The design for this scenario is illustrated in the Figure 5.
User Firewall
Port knocking server
Figure 5. RPK server running at the application server
IV. EXPERIMENTAL DESIGN
In this experimental design, 3 testing states have been set up. In these testing, NAT are not set up on each project, as this test only needs to capture packet, scan open port and measure the performance. The firewall used the IP table that was set up and configured on both servers. Table 2 shows the parameters that were used in this project.
A. Test 1 (Sniffing)
Set up a sniffer to collect a port knocking sequence from a client and compare the differences between these 3 projects.
The comparison included how sequence packets are transmitted from the client to the server. Wireshark tool has been used to run these tests.
B. Test 2 (Scanning)
Set up the port scanning software to scan and collect open ports available. The port scanning software, Nmap has been used is. This test collected the ports available before and after the knocking to the server is made. Comparisons on each of the result differentiated the two projects.
TABLE II. PARAMETER FOR TESTING
Parameter Basic Port
Knocking
Fwknop + SPA Proposed
Method
Port
Sequence
TCP
destination
port 6050, 1000, 4040 &
5000
Single packet
sent to the
server with GPG key
UDP
destination
port 5001, sequence port
UDP 6050,
1000, 4040 & 5000
SSH port to
access
Port 22 Port 22 Port 8080
Client IP address
192.168.1.103 192.168.1.103 192.168.1.103
Server IP
Address
192.168.1.106 192.168.1.104 192.168.1.107
C. Test 3 (Performance)
In order to measure the performance of the knocking to the server, the total time of the port knocking success to knock on the server is collected. This test has used Wireshark tool to capture the time taken for each packet.
V. RESULTS AND DISCUSSIONS
As presented in test 1 and 2, basic port knocking uses four TCP packets as a sequence. Thus, it requires 12 packets to complete the whole process. This is a normal pattern for basic port knocking sequence. As presented in Figure 6, activity of each type of protocol was recorded when port knocking session was done.
Figure 6. Activity during knocking session for Basic Port Knocking
In Figure 6, SSH session was discovered after knocking sequence was made as represent by green line. Additionally, as shown from scanning result, there were some opened and
closed ports activities discovered when knock sequence was made. Basic port knocking closed port 22 SSH, but it opened that port once it receives a valid knocking. When conducted these two tests concurrently, the pattern for the port knocking operation could be easily determined. Furthermore, when those packets were tried to be replayed by the server, it was able to connect with SSH. Hence, it was vulnerable to TCP replay attack.
Figure 7. Activity during knocking session for Fwknop + SPA
Fwknop + SPA only sends one encrypted packet using GPG key to the server for the knock authentication. Figure 7 indicates the activities of each protocol during knocking sessions. Once the knocking to the server success, SSH session was discovered running at server. Furthermore, the firewall state before the knock is closed is port 22 SSH. However, after the knock is conducted, port 22 SSH is discovered open. Moreover from test 1, Fwknop + SPA packet uses port 22 SSH as the destination port. Despite the fact that the service requested by the client is easy to be determined by an attacker, the knocked packet is difficult to replay due to need to crack the GPG key.
Figure 8. Activity during knocking session for Proposed Method
The proposed port knocking method uses UDP packet to knock the server. It uses the source port sequence, but maintains to use one destination port. Figure 8 shows activities on the server during knocked session. It is shown that no SSH session on this server after knocked was success. The SSH session is being hidden by proposed method by configuring to
run on different port. Moreover, when analysing a packet, it is difficult to determine which service is requested once a knock is conducted. Additionally, there is no integration with the firewall, all ports in the firewall are closed before and after the knock is conducted. It is shown that the proposed method is capable to mitigate TCP replay attacks and port scanning.
In term of performance, basic port knocking was slower compared to the other project, because it needs to send more packets. Figure 9 shows the performance for each port knocking method. Fwknop + SPA perform slower compared to the proposed design but a bit faster when compared with basic port knocking. This means that the proposed method is simpler in term of overall implementation.
Figure 9. Comparison of three port knocking methods
VI. CONCLUSION
The sequence technique used to knock the server is different from basic port knocking. The source port sequence used in the proposed design could make the situation difficult to conduct an analysis instead of the destination port. Moreover, the source port and the destination port were pre-defined by the client with prior knowledge to the server.
From the experiments done, the result showed the proposed method was better, compared with the other project in terms of performance to complete the knocking sequence. This is due to the UDP packets that do not require the handshaking process and a simple method of not integrating with any firewall. Eventually, no integration with the firewall makes the proposed design easy to be configured and implemented within a different environment. The main reason not to integrate with the firewall is that some of the firewalls do not use IP table based firewall, which could be difficult for integration.
In order to mitigate TCP replay attack and port scanning faced by port knocking, the proposed design recommends using the start and stop service once knocking is made. In this project, the SSH service is configured to start and stop once a valid knocking is done. A reason to use this approach is, when an attacker knows the sequence and they try to replay it, they do not know whether the service is running or starting, as proved from the sniffing result. This would provide another layer of protection for that service. Additionally, by
configuring the SSH service run at a different port, it is another way to protect the server from port scanning attack.
The result also showed that the proposed method is simple and at the same time against TCP replay attack and port scanning. This method benefits the system administrators who need to access the server remotely but have a strict firewall rules.
REFERENCES
[1] M. Krzywinski, “Port Knocking: Network Authentication across Closed Ports”, SysAdmin Magazine 12, 2003, pp. 12–17.
[2] A. Narayanan, “A critique of port knocking”, Linux Journal , 2004
[3] M. Rash, “FWKnop with SPA by Michael Rash”, available at http://cipherdyne.org/fwknop/docs/SPA.html , 2004.
[4] M. Rash, "Protecting SSH Servers with Single Packet Authorization", The Linux Journal, vol. 2007 issue no. 157, 2007.
[5] H. A. Bahadili, “A Network Security Using Hybrid Port Knocking”, IJCSNS International Journal of Computer Science and Network Security, vol. 10 no 8, August 2010, pp. 8-12.
[6] J. H. Liew, S. Lee, I. Ong, H..J. Lee, H. Lim, “One Time Knocking Framework using SPA and IPSec”, 2010 2nd International Conference on Education Technology and Computer (ICETC), 2010, pp. 209-213
[7] V. Srivastara, A. Kumar, A. D. Roy, V. K. Chanrasiya, R. Gupta, “Advance Port Knocking Authentication Scheme with QRC using
AES”, 2011 International Conference on Emerging Trends in Networks and Computer Communications (ETNCC), 2011, pp.159-163.
[8] R. Bidou, “Advanced Port Knocking Suite” available at http://www.iv2-technologies.com/~rbidou/, 2004.
[9] F. Vannini, “Barricade, port knocking with ICMP packet”, available at http://www.lightning.eu.org/barricade/, 2004.
[10] Walko, J., “A simple encrypted port knocker” available at http://cryptknock.sourceforge.net/, 2004.
[11] Ward, J.B.,“The Doorman or Silent Running”, available at http://doorman.sourceforge.net/ , 2005.
[12] J. Vinet, “Implementation of Port knocking with Knockd”, available at http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki , 2004.
[13] Keong, T and Capella, “SIG^2 Port Knocking: Remote Server Management using Dynamic Port Knocking and Forwarding”, available at http://www.security.org.sg/code/sig2portknock.pdf , 2004.
[14] J. Meeha, “Port knocking implementation in C with Pasmal”, available at http://www.sourceforge.net/projects/pasmal/, 2004
[15] T. Smith, “Portkey port knocking”, available at http://www.smee.org/software/portkey/, 2004.
[16] D. Worth, “COK - Cryptographic One-Time Knocking”, available at http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-worth-up.pdf, 2004
[17] D. Epp, “Introduction to Cerberus: Port Knocking with covert packets to secretly open your firewall”, Scorpion Software, available at http://silverstr.ufies.org/blog/Cerberus.ppt, 2004.