- About Us
I like the fact that the port knocking implementation is not written in C...
Are you under the impression that the code you found is the implementation, rather than an example? I can see where that would lead to some of your conclusions.
Don't want replay attacks? Encoding the source address in the knock sequence would help. Opening a nonstandard port for connection after a successful knock would be another way to go.
Worried about an exhaustive searching attack (and ignoring the time constraints)? Lock out addresses that complete a knock sequence and fail to immediately connect to the correct port.
Your 10% break-in figure if 10% of servers are using port knocking assumes that all port knocking implementations will be insecure. It also assumes that the cracker is going to be willing to waste the time necessary to attack every address, whether there appears to be a machine located at it or not.
I agree that you don't need to reinvent cryptography. Cryptography is not what port knocking is about. It's about not being the "low hanging fruit", and security in depth.
Reminder: There is nothing wrong with "security through obscurity", it's "security only through obscurity that's a bad idea.
Return to A critique of port knocking