- Developer Corner
- Recent posts
Knock is a kernel patch that implements a new NAT-compatible TCP option for stealthy port knocking with a few new twists for improved security which is referred to as TCP Stealth.
Today, port scanners can scan all IPv4 addresses in less than one hour. Port knocking is a method for making TCP servers less visible on the Internet. The basic idea is to make a TCP server not respond (positively) to a TCP SYN request unless a particular "knock" packet has been sent first. This can be helpful for security, as an attacker that cannot establish a TCP connection also cannot really attack the TCP server. There are a bunch of existing user-space tools, such as Knock Knock and knockd. Most of these implementations send some other traffic (such as a UDP packet) to the target host to have it (briefly) open the server port. A particularly noteworthy recent idea in this domain is the SilentKnock, which adds the idea of integrating the knock secret in the initial TCP SYN packet in the SQN field, which is a technique borrowed from network steganography.
Julian Kirsch's Master Thesis with the full details on TCP Stealth can be found here. The the Kernel patch (against Linux 3.16 and 3.18), libknockify and toy example programs are attached to this page.
We provide patches for several applications to make use of the functionality introduced by the kernel patch.
In order to activate Knock's user space functionality in our programs, you have to make sure that the following four preprocessor constants are defined:
TCP_STEALTH TCP_STEALTH_INTEGRITY TCP_STEALTH_INTEGRITY_LEN TCP_STEALTH_SECRET_SIZE
There are several possibilities: Either your libc implementation exports the constants in <netinet/tcp.h> (none do at the time of writing). Alternatively, you can use the headers_install target of your patched linux kernel source to install the kernel headers which export the constants to user space. In this case, <linux/tcp.h> is the file that needs to be included in the source. As a third way, grep for the names of the four constants in the respective patch you applied to your kernel and define them manually. (Be warned that the values of the constants differ not only across operating systems, but also as linux kernel versions grow.)
In the download section, a patch can be found which enables OpenSSH 6.7p1 (and very likely other versions) to use the authentication mechanism of Knock. Several steps need to be taken to customize OpenSSH (assuming the running kernel already was patched with the Knock patches):
openssh-6.7p1 $ patch -p1 < path/to/the/downloaded/openssh/openssh-knock-patch.diff
openssh-6.7p1 $ ./configure
To specify a secret on both sides use the newly introduced SSH configuration option
or (not recommended) the -z command line argument. The patch also extends the man pages of ssh, ssh_config, sshd and sshd_config which give more information. Notice: Due to the limitations of the SSH protocol TCP Stealth can not offer integrity protection of for example the exchanged key material used by OpenSSH. As only authentication is used it is especially critical that TCP timestamps are activated to provide effective protection against port scanners.
A patch for systemd can be found in the download section which enables Knock's authentication and integrity protection for applications using systemd for their socket I/O. Several steps need to be taken to customize systemd (assuming the running kernel already was patched with the Knock patches):
In order to enable the functionality at runtime, the new configuration options TCPStealthSecret and TCPStealthIntegrityLen are available for use in .socket unit files. TCPStealthSecret specifies the TCP Stealth secret whereas TCPStealthIntegrityLen is an unsigned integer indicating the number of bytes that should be integrity protected (0 means disabled).
In the future, we plan to integrate Knock with GNUnet to enable running peers in "stealth" mode, which would be useful for users that do not want to make it obvious that they are operating a GNUnet peer at a particular IP address. We hope to convince the kernel community to adopt this patch. Once this happens, we hope that projects that care about privacy and security (for example, Tor and OpenSSH) will add support for this option.
Knock was designed and implemented by Julian Kirsch, Maurice Leclaire and Christian Grothoff. We thank Jacob Appelbaum for constructive discussions on an earlier version of the design.
|Knock patch for Linux 3.18||17.98 KB|
|Signature of the 3.18 patch||287 bytes|
|Knock patch for Linux 3.16||18.23 KB|
|Signature of the 3.16 patch||287 bytes|
|Example client and server programs||1.43 KB|
|Signature of the example programs||287 bytes|
|Shared library to enable TCP Stealth for legacy code||26.3 KB|
|Signature of libknockify||287 bytes|
|Adds TCP Stealth support to the Linux version of OpenSSH||19.29 KB|
|Signature of the patch for OpenSSH (Linux)||287 bytes|
|Adds TCP Stealth support to the OpenBSD version of OpenSSH||13.75 KB|
|Signature of the patch for OpenSSH (OpenBSD)||287 bytes|
|Adds TCP Stealth support to systemd||4.88 KB|
|Signature of the patch for systemd||287 bytes|
|TCP Stealth patch for FreeBSD 10.0||18.25 KB|
|Signature of the FreeBSD 10.0 patch||287 bytes|