Simple Port Knocking Method against TCP Replay Attack and ...€¦ · Collect a port knocking...

Azuan Alias, Universiti Teknologi MARA (UiTM)

“IT Security for the Next Generation”

Asia Pacific & MEA Cup, Hong Kong

14-16 March, 2012

Simple Port Knocking Method

against TCP Replay Attack and

Port Scanning

Introduction

Port Knocking = concept to open certain port at firewall temporary

Gain access to server behind firewall

Method = Unique Packet sequence used to knock the server

PAGE 2 | "IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012

Problem Statement

Only capable to integrate with IP Table firewall, Martin Krzywinski (2003).

Vulnerable to TCP replay attack, Port Scan, Security obscurity and packet

delivery out of order, Arvind Narayan (2004),

Complex solution to harden port knocking packet proposed by, Jiun-Han Liew et

al (2010), Vikas Srivastara et al (2011), Hussien Al Bahadili (2010)


Objective

Develop simple port knocking method to mitigate from the TCP replay attack and

port scanning.

To compare with others port knocking project


Significant

Reduce complexity = Easy to integrate with current architecture

Useful for system administrator


Literature Review

Project Title Contribution Strength Weakness

Basic Port Knocking

(2003)

Introduce port knocking

system

Make use of firewall rules

to open or close a port

Replay packet, scanning,

packet delivery running

out of order.

Needs to integrate with

IP table based firewall.

Port Knocking with Single

Packet Authorization

(2005 till present) also

known Fwknop+SPA

Introduce single packet

as an authentication

mechanism with GPG

key

Packet used for

authentication will be

encrypted. Difficult to be

replayed.

Packet delivery running

out of order is not

discussed in this project.

Network Security Using

Hybrid Port Knocking

(2010)

Combination between

cryptography,

steganography and

mutual authentication

Difficult to replay the

packet.

Increases the overhead

on packet size due to

the usage of

steganography and

cryptography.


Literature Review (cont..)

Project Title Contribution Strength Weakness

One Time Knocking

Framework using SPA

and IP Sec (2010)

Enhanced use of SPA by

tying together with IP

Sec

Knocking password is

only sent to smartphone

users by the RNG

server.

Integration IPsec with

firewall rules that

requires a lot of

modification.

A complex system that is

difficult to be

implemented.

Advanced Port Knocking

Authentication Scheme

with QRC using AES

(2011)

The QRC will spoof the

IP address

Port scans are difficult to

be done. An IP address

is difficult to be

replicated.

The complexity of its

design may result in the

performance issue.


|

Basic Port Knocking Method

"IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March, 2012

CLIENT FIREWALL SERVER

Client attempt connection to server

with pre determine port sequence

to start SSH. i.e port 100, 200, 300

Packet Capture on Firewall

identifies knocking packet

Firewall pass sequence

packet to server

Server will validate knocking

sequence

Request firewall to ACCEPT

packet from client

ACCEPT packet and pass to

server

Client start SSH service &

establish connection

|

Proposed Method

| 14-16 March 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup

CLIENT FIREWALL SERVER

Client attempt connection to

server to start SSH, with

Source Port Seq. &

Destination Port 5001

Firewall ACCEPT packet

since port 5001 is open

Firewall pass packet to

server Server validate Source Portt

from used by client. If yes

ACCEPT & START SSH

service if no DROP

Client start SSH service &

establish connection with

different Destination Port

Proposed Method

| 9-11 Марта, 2011 "IT Security for the Next Generation", Россия и СНГ PAGE 10 |

User Firewall

Port knocking server

1) Client access to Server by using predetermine Source Port sequence.

2) Server validate the Source Port sequence

If YES start service (this example is SSH) and send execute message to notify client.

If NO ignore.

3) Client access to server to use SSH with predefine port number.

4) Client send another Source Port sequence to close/stop service.

5) Server stop a service

Experimental Design

Test 1 (Sniffing)

Collect a port knocking sequence from a client and compare the differences

between these 3 projects.

Test 2 (Scanning)

Scan the ports available before and after the knocking to the server is made.

Test 3 (Performance)

The total time of the port knocking success to knock on the server is collected.

The fastest is more simple.


|

Result Basic Port Knocking

| 14-16 March , 2012 "IT Security for the Next Generation", Asia Pacific & MEA Cup

|

Result FWKnop + Single Packet Authorization


|

Result Proposed Method


|

Result (scanning)


Before After

Basic Port Knocking

|

Result (scanning)


Before After

FWKnop + Single Packet Authorization

|

Result (scanning) Proposed Method


Before After

|

Performance


0

20

40

60

80

100

120

140

Tim

e (

sec

)

Basic PortKnocking

FwKnop + SPA

ProposedMethod

Project Packet 1

(sec)

Packet 2

(sec)

Packet 3

(sec)

Packet 4

(sec)

Packet 5

Notification

(sec)

Total

(sec)

Basic Port

Knocking

10.3

31

10.3

32

10.8

31

10.3

32

10.3

32

10.8

33

10.3

35

10.3

35

11.3

11

10.3

38

10.3

47

10.

853 - 126.510

FwKnop + SPA 14.7

21

14.7

21

14.7

21 - - - - - - - - - - 44.163

Proposed Method 3.62

2 - -

3.62

2 - -

3.62

2 - -

3.62

3 - - 3.629 18.118

Conclusion

Source Port sequence

Start and Stop service

No change in Firewall rules = No Firewall integration = Less configuration


Thank You

Azuan Alias, Univesiti Teknologi MARA (UiTM)

“IT Security for the Next Generation”

Asia Pacific & MEA Cup, Hong Kong

14-16 March, 2012

Simple Port Knocking Method against TCP Replay Attack and ...€¦ · Collect a port knocking...

Documents

Transcript of Simple Port Knocking Method against TCP Replay Attack and ...€¦ · Collect a port knocking...