Posted by: Anonymous Coward
on August 11, 2004 10:40 PM
> The difficult part of detection of port knocking is not _whether_ port-knocking is in use, but on which ports it is in use.
That may be the difficult part, but it may be useful to attackers to just be able to determine _whether_ port-knocking is in use (or to just assume it). For instance, a denial-of-service attack might be discovered for a port-knocking implementation, and may only require knowledge of port-knocking's existence. Or, once a server is determined to be using port-knocking, a replay attack could be employed. Therefore, if the use of port-knocking becomes widespread, an attacker will just assume that port-knocking is in use on unresponsive servers and initiate port-knocking attacks.
I think it is reasonable to object is my stating that "difficult detection is the main benefit of port-knocking". That probably isn't true. A better statement would be "difficult detection is the most intriguing benefit of port-knocking."
Everyone agrees that port-knocking is additional security. But, the fact that it is difficult to detect if it is or isn't being used does not significantly add to the level of security. In addition, a "successful attack" is broader than just determining the knock sequence; successful attacks would also include denial-of-service.