knutee

A quite common finding in firewall/gateway logs is brute-force SSH attacks. As a result, many choose to implement security systems that blacklists the source of the attack for a certain amount of time. This method however, has two considerable weakneses.
If a legitimate user fails logging in due to forgotten password or typing errors, the user gets blocked out of the system, usually for 5-10 minutes. This does not go down well with most users. The other problem is that it does not prevent attackers from abusing vunerabilities that appear in network services.

This is where single packet authorization and port knocking comes in to play. By having the service port closed by default, and only open up to a user after a specific “knock on the door” is performed, the attacker will not be able to reach the service or even see that it’s there. So, whats the difference?

To explain the difference between SPA and port knocking, I will use knocking on a door as a metaphor. Port knocking involves knocking on the door in a specific pattern. Lets say you walk up to a door and knock it rapidly 3 times, wait one second, then 2 more knocks. By doing this, you have told the person on the other side of the door that you know the secret knock needed to gain access. This method however, presents us with two apparent weaknesses. If the time between each knock is too fast, the person on the other side might not be able to distiguish between individual knocks. This means that the speed of knocking has to be lowered, and authorization gets slowed down. The other obvious problem is that a third person might be hiding in the bushes, listening to the knocking pattern you perform. That person could then come back later and repeat the knocking pattern you performed, thus gaining access. This is called a replay attack.

Now lets use the same metaphor to explain SPA. Lets say you walk up to the door and only knock it once. However, this knock is unique due to the shape and speed of your hand, as well as the particular part of you hand hitting the door. To make it even more unique, you add a random element that is only allowed occur once. This knock would be very hard for a third person to replicate, and due to the random element we added. the knock will be dismissed if it’s exactly the same as the previous knock. This is the idea behind SPA.

SPA uses a single packet (hence the name) that can be delivered as fast as your network route allows. To make the packet complex enough, the application payload portion is used. Random data and it’s hash value is added to prevent replay, and the packet is encrypted with a key. There are of course more complex details, but for a general explanation I think this simplified version is enough.

So now, when the attacker scans your ports, the service port your protecting will appear as closed. The authorization data is encrypted to prevent someone from sniffing your packets to gain access. Authorization given is related to your address, but due to NAT and the potential danger of an attacker sitting on the same sub-net as the legitimate user and replicating the knock, the random element and hash is added. If the same random data appears in a subsequent knock, the connection is denied. Thus, your network service is now only accesible by those that know the secret knock on the door!

I hope this short presentation has given you a better understanding of SPA and port knocking. A guide to installing SPA on your system is now up in the guides section. Questions, comments and corrections are very welcome.