Post on 26-Sep-2020
Azuan Alias, Universiti Teknologi MARA (UiTM)
“IT Security for the Next Generation”
Asia Pacific & MEA Cup, Hong Kong
14-16 March, 2012
Simple Port Knocking Method
against TCP Replay Attack and
Port Scanning
Introduction
Port Knocking = concept to open certain port at firewall temporary
Gain access to server behind firewall
Method = Unique Packet sequence used to knock the server
PAGE 2 | "IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012
Problem Statement
Only capable to integrate with IP Table firewall, Martin Krzywinski (2003).
Vulnerable to TCP replay attack, Port Scan, Security obscurity and packet
delivery out of order, Arvind Narayan (2004),
Complex solution to harden port knocking packet proposed by, Jiun-Han Liew et
al (2010), Vikas Srivastara et al (2011), Hussien Al Bahadili (2010)
PAGE 3 | "IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012
Objective
Develop simple port knocking method to mitigate from the TCP replay attack and
port scanning.
To compare with others port knocking project
PAGE 4 | "IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012
Significant
Reduce complexity = Easy to integrate with current architecture
Useful for system administrator
PAGE 5 | "IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012
Literature Review
Project Title Contribution Strength Weakness
Basic Port Knocking
(2003)
Introduce port knocking
system
Make use of firewall rules
to open or close a port
Replay packet, scanning,
packet delivery running
out of order.
Needs to integrate with
IP table based firewall.
Port Knocking with Single
Packet Authorization
(2005 till present) also
known Fwknop+SPA
Introduce single packet
as an authentication
mechanism with GPG
key
Packet used for
authentication will be
encrypted. Difficult to be
replayed.
Packet delivery running
out of order is not
discussed in this project.
Network Security Using
Hybrid Port Knocking
(2010)
Combination between
cryptography,
steganography and
mutual authentication
Difficult to replay the
packet.
Increases the overhead
on packet size due to
the usage of
steganography and
cryptography.
PAGE 6 | "IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012
Literature Review (cont..)
Project Title Contribution Strength Weakness
One Time Knocking
Framework using SPA
and IP Sec (2010)
Enhanced use of SPA by
tying together with IP
Sec
Knocking password is
only sent to smartphone
users by the RNG
server.
Integration IPsec with
firewall rules that
requires a lot of
modification.
A complex system that is
difficult to be
implemented.
Advanced Port Knocking
Authentication Scheme
with QRC using AES
(2011)
The QRC will spoof the
IP address
Port scans are difficult to
be done. An IP address
is difficult to be
replicated.
The complexity of its
design may result in the
performance issue.
PAGE 7 | "IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012
PAGE 8 |
Basic Port Knocking Method
"IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012
CLIENT FIREWALL SERVER
Client attempt connection to server
with pre determine port sequence
to start SSH. i.e port 100, 200, 300
Packet Capture on Firewall
identifies knocking packet
Firewall pass sequence
packet to server
Server will validate knocking
sequence
Request firewall to ACCEPT
packet from client
ACCEPT packet and pass to
server
Client start SSH service &
establish connection
PAGE 9 |
Proposed Method
| 14-16 March 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup
CLIENT FIREWALL SERVER
Client attempt connection to
server to start SSH, with
Source Port Seq. &
Destination Port 5001
Firewall ACCEPT packet
since port 5001 is open
Firewall pass packet to
server Server validate Source Portt
from used by client. If yes
ACCEPT & START SSH
service if no DROP
Client start SSH service &
establish connection with
different Destination Port
Proposed Method
| 9-11 Марта, 2011 "IT Security for the Next Generation", Россия и СНГ PAGE 10 |
User Firewall
Port knocking server
1) Client access to Server by using predetermine Source Port sequence.
2) Server validate the Source Port sequence
If YES start service (this example is SSH) and send execute message to notify client.
If NO ignore.
3) Client access to server to use SSH with predefine port number.
4) Client send another Source Port sequence to close/stop service.
5) Server stop a service
Experimental Design
Test 1 (Sniffing)
Collect a port knocking sequence from a client and compare the differences
between these 3 projects.
Test 2 (Scanning)
Scan the ports available before and after the knocking to the server is made.
Test 3 (Performance)
The total time of the port knocking success to knock on the server is collected.
The fastest is more simple.
PAGE 11 | "IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012
PAGE 12 |
Result Basic Port Knocking
| 14-16 March , 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup
PAGE 13 |
Result FWKnop + Single Packet Authorization
| 14-16 March , 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup
PAGE 14 |
Result Proposed Method
| 14-16 March , 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup
PAGE 15 |
Result (scanning)
| 14-16 March , 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup
Before After
Basic Port Knocking
PAGE 16 |
Result (scanning)
| 14-16 March , 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup
Before After
FWKnop + Single Packet Authorization
PAGE 17 |
Result (scanning) Proposed Method
| 14-16 March , 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup
Before After
PAGE 18 |
Performance
| 14-16 March , 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup
0
20
40
60
80
100
120
140
Tim
e (
sec
)
Basic PortKnocking
FwKnop + SPA
ProposedMethod
Project Packet 1
(sec)
Packet 2
(sec)
Packet 3
(sec)
Packet 4
(sec)
Packet 5
Notification
(sec)
Total
(sec)
Basic Port
Knocking
10.3
31
10.3
32
10.8
31
10.3
32
10.3
32
10.8
33
10.3
35
10.3
35
11.3
11
10.3
38
10.3
47
10.
853 - 126.510
FwKnop + SPA 14.7
21
14.7
21
14.7
21 - - - - - - - - - - 44.163
Proposed Method 3.62
2 - -
3.62
2 - -
3.62
2 - -
3.62
3 - - 3.629 18.118
Conclusion
Source Port sequence
Start and Stop service
No change in Firewall rules = No Firewall integration = Less configuration
PAGE 19 | "IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012
Thank You
Azuan Alias, Univesiti Teknologi MARA (UiTM)
“IT Security for the Next Generation”
Asia Pacific & MEA Cup, Hong Kong
14-16 March, 2012