new match extension to implement port knocking in one
Alexey Toptygin
alexeyt at freeshell.org
Thu Oct 12 22:41:29 CEST 2006
On Wed, 11 Oct 2006, Luis Floreani wrote:
>> If you're interested in port knocking, you might want to read this
>> paper: http://www.acsac.org/2005/abstracts/156.html It covers security
>> issues relating to port knocking in detail, and presents an architecture
>> for solving most of them.
>>
>> Full disclosure: I wrote that paper. Feel free to contact me if you
>> have questions.
>>
>> Rennie deGraaf
>
> In our implementation, for security, we are using the Tumbler protocol, we
> found it simple yet powerful, check it out here:
> http://tumbler.sourceforge.net/.
It seems that Tumbler is not capable of working across NAT, unless the
client can somehow obtain its public IP address. Also, it relies on clocks
being synchronized, since authentication will fail if the UTC time in
minutes is not identical on the client and server. Tumbler is not as
stealthy as the techniques in Rennie deGraaf's paper, since it uses an
open UDP port.
Finally, I doubt the cryptographic security of the Tumbler protocol - it
relies on a SHA256 hash over the UTC time (in minutes), the client's IP
and the shared secret. Observing a few authentications from the same
client will give you hashes of strings with known prefixes (time + IP) and
a fixed suffix (the secret). The insertion of the optional username
between the time and IP (not at the end as documented) increases security
slightly by making the pattern known,fixed,known,fixed but I think some
attacks will still be possible because there are multiple ralated
plaintexts with no random parts.
Alexey
More information about the netfilter-devel
mailing list