A Hybrid Port Knocking System,
Some History:
The port knocking concept has been around for a while, and there are many different port knocking implementations. In computer networking, Port Knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). Originally, this was simply conceived as a series of connection attempts to closed ports in a specific order. The “knocks” are for example, are a client attempt to connect to ports 10001, 22022, 4444, or any other ports. The Port Knocking server checks the sequence of incoming packets, if they are in the correct order that the client and server have agreed on, the Port Knocking server informs the firewall to open port 22 (SSH) to the client requesting the service. The problem today in the world full of security threats, it should be assumed that all traffic is monitored by an unknown third party as it travels across a network. Doggedly adhering to this viewpoint provides us with the fact that our knock sequence can be passively observed by an eavesdropping person in the middle of our connection and just replay the knock sequence to get the same response from the server (open port or perform a task). This problem is called “TCP Replay Attack”. So we had to find a solution were the knock sequence is not re-playable. Tariq Overview:
Tariq is a new hybrid port-knocking technique, that uses Cryptography, Steganography, and Mutual Authentication to develop another security layer in front of any service that needs to be accessed from different locations around the globe. Tariq was developed using python and scapy to fulfil my Ph.D. Research. We had to use a new methodology that can communicate in an unseen manner, making TCP Replay Attacks hard to be issued against Tariq. We also wanted the implementation to listen to no ports, or bind itself to no socket for packets exchange, so that Tariq won't be exposed himself to a remote exploit. Tariq relies completely on Packet Crafting, as all packets sent and received are crafted to suite our needs. In our Port Knocking implementation, we don't want: Coding in an an unsafe language. This should be a very small application, and the performance requirements should be minimal.
Running the application in the kernel.
The service bind to a port, making it exposed to public.
To use UDP protocol.
The system to just open/close ports.
The system to authenticate from the server side only.
The system to send requests to the server in clear text.Read more: Google code
Some History:
The port knocking concept has been around for a while, and there are many different port knocking implementations. In computer networking, Port Knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). Originally, this was simply conceived as a series of connection attempts to closed ports in a specific order. The “knocks” are for example, are a client attempt to connect to ports 10001, 22022, 4444, or any other ports. The Port Knocking server checks the sequence of incoming packets, if they are in the correct order that the client and server have agreed on, the Port Knocking server informs the firewall to open port 22 (SSH) to the client requesting the service. The problem today in the world full of security threats, it should be assumed that all traffic is monitored by an unknown third party as it travels across a network. Doggedly adhering to this viewpoint provides us with the fact that our knock sequence can be passively observed by an eavesdropping person in the middle of our connection and just replay the knock sequence to get the same response from the server (open port or perform a task). This problem is called “TCP Replay Attack”. So we had to find a solution were the knock sequence is not re-playable. Tariq Overview:
Tariq is a new hybrid port-knocking technique, that uses Cryptography, Steganography, and Mutual Authentication to develop another security layer in front of any service that needs to be accessed from different locations around the globe. Tariq was developed using python and scapy to fulfil my Ph.D. Research. We had to use a new methodology that can communicate in an unseen manner, making TCP Replay Attacks hard to be issued against Tariq. We also wanted the implementation to listen to no ports, or bind itself to no socket for packets exchange, so that Tariq won't be exposed himself to a remote exploit. Tariq relies completely on Packet Crafting, as all packets sent and received are crafted to suite our needs. In our Port Knocking implementation, we don't want: Coding in an an unsafe language. This should be a very small application, and the performance requirements should be minimal.
Running the application in the kernel.
The service bind to a port, making it exposed to public.
To use UDP protocol.
The system to just open/close ports.
The system to authenticate from the server side only.
The system to send requests to the server in clear text.Read more: Google code
Read more: Port knocking implementations