Posted by: Anonymous Coward
on August 12, 2004 10:31 AM
> a 5% chance that the port-knock crack will work
Excuse me, but how does the cracker even know that it has worked with any particular sequence ?
It is trivial to implement a mechanism that avoids port-knocking cracks, just add a time delay. The server watches for port knocking. Once a particular sequence is seen from a specific address it waits, say, 15 seconds and then opens, say, port 22 for that address. If any other port is knocked by that address in that time then port 22 is not opened.
We have now made it such that a 'brute force' attack has zero change of success unless it delays for some number of seconds between combinations. If it does delay then it can only try several thousand combinations per day. The chances of success then being insignifgicant, even if they knew which ports were valid port knocks, even if they knew port knocking was being used. Change the knock sequence on a daily basis using some calculation including date and the chance of success is effectively zero. And this is totally independent of whether other machines implement port knocking or not.