This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Re:Author is dead-on

Posted by: Anonymous Coward on August 11, 2004 01:42 AM
> The attacker would need to see your network traffic

I don't think it is valid to make that assumption -- a successful port-knock attack could rely on brute force or buffer-overflow and not on snooping. For example, The author said that a poor port-knock implementation could result in an 8-knock sequence against a list of only 32 'knockable' ports, which would be equivalent to a 40-bit key. This scenario could theoretically be successfully attacked by brute force (using an automated tool trying every possible combination until the correct sequence is found).

Similarly, a buffer-overflow attack could exploit a flaw in the port-knock implementation. What if the service listening for port-knocks experiences a buffer overflow if 40 knocks occur on a single port in a 3 second period? This kind of failure could lead to denial-of-service atttacks (at best) or could be combined with other exploits to compromise the server (at worst).

Obviously, neither of those examples requires any knowledge of the user's port sequence whatsoever.

I'm not saying (and neither is the author) that port knocking is worthless or easily compromised, but it isn't as secure as it might first appear to those that aren't aware of security architectures and the strategies employed to attack them. The author is pointing out that the 'stealth' aspect advertised as a key feature of port knocking is not the magic bullet it is made out to be, and that using a simple service (port connectivity) in a non-standard way (port-knocking) may result in non-obvious security flaws.

I'm inclined just to stick with SSH also.<nobr> <wbr></nobr>:^]


Return to A critique of port knocking