Simple Port Knocking Method Against TCP Replay Attack and Port Scanning

Fakariah Hani Mohd Ali

Faculty of Computer and Mathematical Sciences

Universiti Teknologi MARA

Shah Alam, Malaysia

fakariah@tmsk.uitm.edu.my

Rozita Yunos

Faculty of Computer and Mathematical Sciences

Universiti Teknologi MARA

Shah Alam, Malaysia

rozita@tmsk.uitm.edu.my

Mohd Azuan Mohamad Alias

Faculty of Computer and Mathematical Sciences

Universiti Teknologi MARA

Shah Alam, Malaysia

Azuan.alias@gmail.com

Abstract— Port knocking is a first technique introduces to

prevent attackers from discovering and exploiting potentially

vulnerable service on a network host, while allowing

authenticated users to access these services. Despite being

potentially useful tool, it suffers various vulnerabilities such as

TCP replay, port scanning and etc. This project proposes a new

approach over the existing Port Knocking by employing the

Source Port sequences that will simplify a technique for port

knocking system. Source port is automatically generated by

operating system and is pre-assigned to generate a sequence. A

technique to control when certain service start and stop was

introduced to mitigate problem with TCP replay attack and port

scanning. The performance of the proposed method was

evaluated by measuring the authentication time to knock the

server. As a result, the proposed method worked faster than

other methods like basic port knocking and Fwknop + SPA. This

has shown that the proposed method was simple and at the same

time against the TCP replay attack and port scanning.

Port Knocking; Source port sequences; TCP Replay Attack;

Port Scanning

I. INTRODUCTION

Port knocking is a method developed by [1] to bypass a security measure used by a firewall to establish a connection between servers. This method will form a communication between a host to a host across a closed port environment. Originally, port knocking primary aim is to provide an extra layer of security by providing authentication with the additional benefit of concealment. However, port knocking itself suffers from several vulnerabilities like TCP replay attack, Port Scan, security obscurity and packet delivery out of order due to network latency [2].

An attacker uses the port scan technique to sniff on promiscuous mode and observe a knocking sequence attempt by authorized users [2]. Once a true sequence is complete, they will use a TCP replay attack to knock on a server, but the server does not know whether it is a genuine user. In addition, port knocking server cannot limit how much connection will come from a user to the server concurrently. This issue has

been discussed widely for further improvements of port knocking. [3, 4] has proposed to use port knocking with Single Packet Authorization (SPA). SPA could fill the void on port knocking by sending an authentication packet to the server before the connection is established.

[5] introduced the idea to use port knocking with a hybrid of cryptography, steganography and mutual authentication. This technique is good to prevent port scan and TCP replay attack due to the use of steganography, the attacker cannot determine which actual packet to port knocking. [6] introduced One Time Knocking Framework using SPA and Internet Protocol Security (IPSec) for port knocking. This system added another layer to generate a port knocking password. A password will be generated by its Random Number Generator (RNG) server, thus sent to the client using the GSM line and synchronize a same password with the firewall server. A similar concept with this framework was proposed in [7] with the Advance Port Knocking Authentication Scheme with QRC using AES. The proposed method uses the same authentication technique by using a password generated by the server. However, they enhance the method with Quadratic Residue Cipher (QRC) to spoof the source IP address. This will prevent attackers from gathering information.

This project proposes an approach to simplify the port knocking method without adding any servers or appliances and that can against from the TCP replay attack and port scanning. It focuses on how to improve port knocking as well as the authentication on port knocking. A common problem on port knocking such as TCP replay attack and port scanning are addressed carefully to reduce its threat towards the proposed project. Consequently, the proposed design will avoid any integration with the firewall, in order to ease the integration with the existing architecture.

This project uses SSH as the service used on the port knocking project. It compares the Basic port knocking and Fwknop + SPA that were developed by [1,2] respectively. The comparison covers on port scanning, packet capture and the performance to complete knock sequence.

II. RELATED WORK

Table I summarizes others port knocking method that are related to this project. Comparison of others port knocking projects.

TABLE I. COMPARISON OF OTHERS’ PORT KNOCKING PROJECTS

Project Title Contribution Strength Weakness

Basic Port

Knocking [1]

Introduce port

knocking

system

Make use of

firewall rules to

open or close a port

Replay packet,

scanning, packet

delivery running out of order.

Advanced

Port Knocking

Suite [8]

Uses DES in

packet sequence

Usage of

encryption with

knocking packet

Might be slow as

the packet needs

to be encrypted and decrypted.

Barricade [9] Applies ICMP

echo request as the knocking

packet.

Simple

implemen-tation

ICMP packet

containing password might

be sniffed.

Cryptknock

[10]

Encrypt the

knocking string that is used by

the packet.

Difficult to

replay a knocking packet

by sniffing with TCP dump.

Data is read by

Lipcpap where it configures under

the monitoring state.

Doorman [11] Introduces

single UDP

packet for knocking.

Uses MD5 hash

with UDP

packet.

MD5 hash table

might be cracked

by the Rainbow table.

Knockd [12] Combine TCP

and UDP for knocking

packet

Capable to use

both TCP and UDP packet.

Same

implementation with basic port

knocking.

Sig2Knock

[13]

Randomize the

port sequence

Overcomes

issue of port scanning

Difficult to be

implemented

Pasmal [14] Uses encrypted

ion packet for TCP and ICMP.

Can use both

ICMP and TCP packet.

Usage of

encryption may slow down the

performance.

Portkey [15] Uses TCP port

from range 1 to 65535.

Can use many

TCP ports available for

knocking

sequence.

Similar to basic

port knocking. Only supports IP

table based

firewall.

Cryptography

of Knocking

(COK) [16]

Implements

port knocking

with cryptography.

More secured

than basic port

knocking by adding

cryptography.

Only capable to

be implemented

with IP tables based firewall

Cerberus by Dana Epp [17]

Usage of ICMP packet to the

knocking

server.

Applies special ICMP ping

packet

Only capable to be implemented

with IP table

based firewall.

Port Knocking with Single

Packet

Authorization [3][4]

Introduce single packet as an

authentication

mechanism

Packet used for authentication

will be

encrypted. Difficult to be

replayed.

Packet delivery running out of

order is not

discussed in this project.

One Time

Knocking

Framework using SPA

and IP Sec [7]

Enhanced use

of SPA by tying

together with IP Sec

Knocking

password is only

sent to smartphone

users by the

RNG server.

Integration IPsec

with firewall

rules that requires a lot of

modification.

A complex system that is

difficult to be

implemented

Network

Security

Using Hybrid

Port Knocking

[5]

Combination

between

cryptography,

steganography

and mutual authentication

Difficult to

replay the

packet.

Increases the

overhead on

packet size due to

the usage of

steganography and

cryptography.

Advanced Port Knocking

Authentication

Scheme with QRC using

AES [7]

The QRC will spoof the IP

address

Port scans are difficult to be

done. An IP

address is difficult to be

replicated.

The complexity of its design may

result in the

performance issue.

The design of this project includes: (a) The use of the source port sequence to replace the destination port sequence; (b) No firewall intervention thus no such need to modify firewall rules; (c) Service request e.g.: SSH is not started by default, it only starts once valid sequences are received; (d) Ease of configuration; (e) Independent operating system; (f) The server daemon will reject accessing the client when the third knocking attempt fails.

III. THE NEW PORT KNOCKING METHOD

There are 3 main steps in this project. First, is the client will make an attempt to establish a connection to the server. The second step is to find an authentication mechanism on the server to determine a valid client, start a service and notify the client that a service has been executed. The last step is to allow the client to access the server to predefine a port number to use the service. The proposed design is showed by Figure 1.

CLIENT FIREWALL RPK SERVER

Client attempt connection to

server to start SSH, with

Source Port Seq. &

Destination Port 5001

Firewall ACCEPT packet

since port 5001 is open

Firewall pass packet to

server Server validate Source Portt

from used by client. If yes

ACCEPT if no DROP

Client start SSH service &

establish connection with

different Destination Port

Figure 1. Sequence diagram for the proposed method

Step 1 is when the client attempts to make a connection to the server to use certain services. In this study, SSH service is used. Normally, the SSH port will remain closed but the service for SSH has already started. In this design, the SSH service is set not to start and port number for SSH is predefined by the different port numbers. In this case, the client will send a packet containing detailed information to the server. Information that is passed from the client to the server is a source port sequence, i.e. port 55200, 4550, 1220 and 6779 and the destination port is pre-assigned by the server that only

listens on specific port attempts from the port knocking client, i.e. port 5001. Normally, these ports are left open by a firewall.

The source port sequence from the client will be used as an authentication method to validate its client. The source port sequence from the client is also pre assigned by the server, thus only a valid user knows the source port ranges to be used. Firewalls only filter remote TCP port or UDP port, but they do not filter what is the source port being used. Detailed explanations of the source and destination port shall be discussed in the next section.

In Step 2, when a server receives a packet from the client, it will validate the packet. Only a valid client knows what is the source port sequence should be used to establish a connection between the server and the client. On the other side, the server will monitor any connections attempt from the client. A simple logic programming is used either to accept or drop a connection whenever it matches the rules. Once a server receives a valid Source port sequence, it will start the SSH service and notify the client by sending an execute message. Otherwise, it will drop the connection and the SSH service is not started.

In the final step, the client connects again to the server with the predefined SSH port, thus establishing a connection from the client to the server. In this study, SSH is pre-configured to use port 8080 instead of default port 22. In future, this port will be configured to use other TCP ports when necessary.

Figure 2 resembles a sequence diagram for basic port knocking that differentiates between the proposed project with the basic port knocking project [1]. It also shows the process taken for basic ports knocking as compared to some propose projects. The firewall needs to identify the incoming packet which needs to be dropped or accepted. As compared with the proposed project, the flow process shortens due to the fact that the packet from the client goes directly to the server.

CLIENT FIREWALL SERVER

Client attempt connection to

server to start SSH Firewall is block port 22 for SSH.

DROP packet

Client attempt connection to server

with pre determine port sequence

to start SSH. i.e port 100, 200, 300Packet Capture on Firewall

identifies knocking packet

Firewall pass sequence

packet to server

Server will validate knocking

sequence

Request firewall to open port 22

Firewall open port 22

Client start SSH service &

establish connection

Figure 2. Sequence diagram of basic port knocking

A. Head To Head Comparisons for Flow Process

Each port knocking project has its own flow process to operate. Basically, the process starts from the minute the client

sends a knocking sequence to the server until the server validates and the client is able to access the requested services. Figure 3 shows the comparisons of both projects.

Basic port knocking requires more steps in order to bypass a packet from the client to the server and before authenticating the client to use the requested service. In contrast with the proposed method, a client only requires 3 steps before authenticating the client to use the service. In addition, SSH service on the server is not started until a valid user knocking is sent to the server. It is designed in such a way to enhance security features and to add difficulties for those who repeatedly strike attacks toward servers. If somebody succeeds to send the packet from the client to the server, they do not have any idea when a service is requested and started. As compared to basic port knocking, the SSH service is already started.

START

Packet from Client

with Knocking

sequence 100, 200

& 300

Firewall identifies

knocking packet

NO

YES

DROP packet ACCEPT packet

Server verify

knocking packet

DROP

ACCEPT & request

firewall to open port

22 temporary

NO

YES

Firewall open port

22

Client connect to

server with port 22

END

BASIC PORT KNOCKING

START

Packet from Client

with source port seq

55200, 4550, 1220

& 6779. Destination

port 5001

Server verify

knocking packet

DROP ACCEPT & start

SSH service

NO

YES

Client connect to

server with

predefine SSH port

number

END

PROPOSED PORT

KNOCKING METHOD

Figure 3. Comparison chart of process flow for basic port knocking and proposed design

As shown in Figure 3, basic port knocking requires more process before the client could access to the server. In addition, it requires the process of integrating with the firewall before the client could access the server and use certain services. As compared to the proposed design, the packet from the client to the server directly hops to the server if there is any open port in the firewall. From the diagram, basic port knocking uses the destination port sequence as identification to the knocking

server. In the proposed design, the source port sequence is used to identify the client to the server. It could transform a packet from the client to the server to look like a normal packet as compared to basic port knocking.

B. Implementation of Proposed Model

In order to implement the proposed method in real

environment, this study has proposed an architecture that is

shown in Figure 4.

User FirewallPort Knocing

Server

Application

Server

Figure 4. Proposed port knocking method integrates with application server

at data centre

The proposed port knocking method is recommended to be located in front of the other application servers. The port knocking server could be the main point for the client to access the data centre by using SSH before hopping into another server for further administrative task. This design has been proposed in this way in order to minimize risks by running the application server with the proposed program.

However, if end users chose not to add any server on the current infrastructure, they would only run the proposed program directly on the application server. The design for this scenario is illustrated in the Figure 5.

User Firewall

Port knocking server

Figure 5. RPK server running at the application server

IV. EXPERIMENTAL DESIGN

In this experimental design, 3 testing states have been set up. In these testing, NAT are not set up on each project, as this test only needs to capture packet, scan open port and measure the performance. The firewall used the IP table that was set up and configured on both servers. Table 2 shows the parameters that were used in this project.

A. Test 1 (Sniffing)

Set up a sniffer to collect a port knocking sequence from a client and compare the differences between these 3 projects.

The comparison included how sequence packets are transmitted from the client to the server. Wireshark tool has been used to run these tests.

B. Test 2 (Scanning)

Set up the port scanning software to scan and collect open ports available. The port scanning software, Nmap has been used is. This test collected the ports available before and after the knocking to the server is made. Comparisons on each of the result differentiated the two projects.

TABLE II. PARAMETER FOR TESTING

Parameter Basic Port

Knocking

Fwknop + SPA Proposed

Method

Port

Sequence

TCP

destination

port 6050, 1000, 4040 &

5000

Single packet

sent to the

server with GPG key

UDP

destination

port 5001, sequence port

UDP 6050,

1000, 4040 & 5000

SSH port to

access

Port 22 Port 22 Port 8080

Client IP address

192.168.1.103 192.168.1.103 192.168.1.103

Server IP

Address

192.168.1.106 192.168.1.104 192.168.1.107

C. Test 3 (Performance)

In order to measure the performance of the knocking to the server, the total time of the port knocking success to knock on the server is collected. This test has used Wireshark tool to capture the time taken for each packet.

V. RESULTS AND DISCUSSIONS

As presented in test 1 and 2, basic port knocking uses four TCP packets as a sequence. Thus, it requires 12 packets to complete the whole process. This is a normal pattern for basic port knocking sequence. As presented in Figure 6, activity of each type of protocol was recorded when port knocking session was done.

Figure 6. Activity during knocking session for Basic Port Knocking

In Figure 6, SSH session was discovered after knocking sequence was made as represent by green line. Additionally, as shown from scanning result, there were some opened and

closed ports activities discovered when knock sequence was made. Basic port knocking closed port 22 SSH, but it opened that port once it receives a valid knocking. When conducted these two tests concurrently, the pattern for the port knocking operation could be easily determined. Furthermore, when those packets were tried to be replayed by the server, it was able to connect with SSH. Hence, it was vulnerable to TCP replay attack.

Figure 7. Activity during knocking session for Fwknop + SPA

Fwknop + SPA only sends one encrypted packet using GPG key to the server for the knock authentication. Figure 7 indicates the activities of each protocol during knocking sessions. Once the knocking to the server success, SSH session was discovered running at server. Furthermore, the firewall state before the knock is closed is port 22 SSH. However, after the knock is conducted, port 22 SSH is discovered open. Moreover from test 1, Fwknop + SPA packet uses port 22 SSH as the destination port. Despite the fact that the service requested by the client is easy to be determined by an attacker, the knocked packet is difficult to replay due to need to crack the GPG key.

Figure 8. Activity during knocking session for Proposed Method

The proposed port knocking method uses UDP packet to knock the server. It uses the source port sequence, but maintains to use one destination port. Figure 8 shows activities on the server during knocked session. It is shown that no SSH session on this server after knocked was success. The SSH session is being hidden by proposed method by configuring to

run on different port. Moreover, when analysing a packet, it is difficult to determine which service is requested once a knock is conducted. Additionally, there is no integration with the firewall, all ports in the firewall are closed before and after the knock is conducted. It is shown that the proposed method is capable to mitigate TCP replay attacks and port scanning.

In term of performance, basic port knocking was slower compared to the other project, because it needs to send more packets. Figure 9 shows the performance for each port knocking method. Fwknop + SPA perform slower compared to the proposed design but a bit faster when compared with basic port knocking. This means that the proposed method is simpler in term of overall implementation.

Figure 9. Comparison of three port knocking methods

VI. CONCLUSION

The sequence technique used to knock the server is different from basic port knocking. The source port sequence used in the proposed design could make the situation difficult to conduct an analysis instead of the destination port. Moreover, the source port and the destination port were pre-defined by the client with prior knowledge to the server.

From the experiments done, the result showed the proposed method was better, compared with the other project in terms of performance to complete the knocking sequence. This is due to the UDP packets that do not require the handshaking process and a simple method of not integrating with any firewall. Eventually, no integration with the firewall makes the proposed design easy to be configured and implemented within a different environment. The main reason not to integrate with the firewall is that some of the firewalls do not use IP table based firewall, which could be difficult for integration.

In order to mitigate TCP replay attack and port scanning faced by port knocking, the proposed design recommends using the start and stop service once knocking is made. In this project, the SSH service is configured to start and stop once a valid knocking is done. A reason to use this approach is, when an attacker knows the sequence and they try to replay it, they do not know whether the service is running or starting, as proved from the sniffing result. This would provide another layer of protection for that service. Additionally, by

configuring the SSH service run at a different port, it is another way to protect the server from port scanning attack.

The result also showed that the proposed method is simple and at the same time against TCP replay attack and port scanning. This method benefits the system administrators who need to access the server remotely but have a strict firewall rules.

REFERENCES

[1] M. Krzywinski, “Port Knocking: Network Authentication across Closed Ports”, SysAdmin Magazine 12, 2003, pp. 12–17.

[2] A. Narayanan, “A critique of port knocking”, Linux Journal , 2004

[3] M. Rash, “FWKnop with SPA by Michael Rash”, available at http://cipherdyne.org/fwknop/docs/SPA.html , 2004.

[4] M. Rash, "Protecting SSH Servers with Single Packet Authorization", The Linux Journal, vol. 2007 issue no. 157, 2007.

[5] H. A. Bahadili, “A Network Security Using Hybrid Port Knocking”, IJCSNS International Journal of Computer Science and Network Security, vol. 10 no 8, August 2010, pp. 8-12.

[6] J. H. Liew, S. Lee, I. Ong, H..J. Lee, H. Lim, “One Time Knocking Framework using SPA and IPSec”, 2010 2nd International Conference on Education Technology and Computer (ICETC), 2010, pp. 209-213

[7] V. Srivastara, A. Kumar, A. D. Roy, V. K. Chanrasiya, R. Gupta, “Advance Port Knocking Authentication Scheme with QRC using

AES”, 2011 International Conference on Emerging Trends in Networks and Computer Communications (ETNCC), 2011, pp.159-163.

[8] R. Bidou, “Advanced Port Knocking Suite” available at http://www.iv2-technologies.com/~rbidou/, 2004.

[9] F. Vannini, “Barricade, port knocking with ICMP packet”, available at http://www.lightning.eu.org/barricade/, 2004.

[10] Walko, J., “A simple encrypted port knocker” available at http://cryptknock.sourceforge.net/, 2004.

[11] Ward, J.B.,“The Doorman or Silent Running”, available at http://doorman.sourceforge.net/ , 2005.

[12] J. Vinet, “Implementation of Port knocking with Knockd”, available at http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki , 2004.

[13] Keong, T and Capella, “SIG^2 Port Knocking: Remote Server Management using Dynamic Port Knocking and Forwarding”, available at http://www.security.org.sg/code/sig2portknock.pdf , 2004.

[14] J. Meeha, “Port knocking implementation in C with Pasmal”, available at http://www.sourceforge.net/projects/pasmal/, 2004

[15] T. Smith, “Portkey port knocking”, available at http://www.smee.org/software/portkey/, 2004.

[16] D. Worth, “COK - Cryptographic One-Time Knocking”, available at http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-worth-up.pdf, 2004

[17] D. Epp, “Introduction to Cerberus: Port Knocking with covert packets to secretly open your firewall”, Scorpion Software, available at http://silverstr.ufies.org/blog/Cerberus.ppt, 2004.