This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

The author makes an assumption.

Posted by: Anonymous Coward on August 11, 2004 05:46 AM
Firstly, the unnecessary only-some-ports-valid "protection layer" complicates things. Suppose you decide on a list of 32 valid ports (the current implementation allows up to 256). How long does the port knock sequence need to be? You might think that since each port is a 16-bit integer, you need 8 knocks, so that you get 8*16 bits or 128 bits of security (virtually unbreakable). But since each port has only 32 possible values (5 bits), what you actually get is only 8*5=40 bits of security (trivially breakable)!

Here the author assumes that the choice of which 32 ports will be apparent.

If I choose to use a$a$a$a$ as a password does that give my system 16-bit security? (After all, I only used 2 values, which can be reduced to 2 bit-states if you know which two values I used.) The answer? No my system still has 92^8-bit security. (It may be that I've chosen a weak password, but that's another discussion entirely.)

If I happen to choose ports 1-32, with an 8-knock sequence, yeah I'll probably get brute forced a bit faster than someone who uses a randomly generated set of 32 ports, but only because his ports are likely to be distributed througout the entire range, requiring the brute-force app to go through more iterations.

The idea with port-knocking is that you don't get *any* feedback until you've knocked the entire sequence correctly. The attacker has no way to know which ports are the 32 valid ports you've chosen, therefore he must treat them all equally.

If the attacker discovers that you're using 32 particular ports, then yes your security is weakened. Just like if he found out I was using a password that only had 2 different characters in it. That's why key-related information is kept *secret*. (Hiding information about your key isn't 'security through obscurity', it's the basis of security.)

Having a bug in a port-knock service that allows access is still better than having httpd, ssh, sendmail, and ftp (each of which might have such a bug) plainly accessible when you don't want need it. Barring such a bug in port-knock, an attacker at least has to authenticate to your system before they can try hacking another service.


Return to A critique of port knocking