User: Password:
Subscribe / Log in / New account

A proposal for "silent" port knocking

A proposal for "silent" port knocking

Posted Dec 20, 2013 22:18 UTC (Fri) by nybble41 (subscriber, #55106)
In reply to: A proposal for "silent" port knocking by jzbiciak
Parent article: A proposal for "silent" port knocking

By itself, a hash of the shared secret and time won't protect against a replay attack within a short time frame (like right after observing the original port knocking sequence). However, if you added in some information about the connection, like the source IP address and port, that would frustrate replay attacks from other systems. Of course, the downside of that is that it would no longer be compatible with NAT.

If the server responds to the knocks with an ICMP error, it might be possible to piggyback some challenge data in the response so that each sequence is unique after the first knock. The client would hash the challenge data with the shared secret to determine the next knock.

(Log in to post comments)

A proposal for "silent" port knocking

Posted Dec 20, 2013 22:34 UTC (Fri) by jzbiciak (subscriber, #5246) [Link]

Yeah, that's true. Of course, if you do happen to save some state server side, then you could detect a replay attack. Adding 'time' to the equation limits the length of the memory you need to have to the time window each token's valid.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds