custom port knocking

Discussion in 'other firewalls' started by mikeo1313, Aug 20, 2007.

Thread Status:
Not open for further replies.
  1. mikeo1313

    mikeo1313 Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    108
    I wonder if this question should go on a programming forum but I'm giving this a shot here first.

    Over the past couple of days as I have been going through as much posts as I can on this forum since they seem informative and some here seem to really know their stuff.

    Besides learn of a whole bunch of methods and software I happen to run across this concept of port knocking.
    http://en.wikipedia.org/wiki/Port_knocking

    Apparently net administrators & some malware use this access method.

    It just made me wonder of the following:

    1.a. when a tcp packet is sent, does it arrive with date & time sent data from origin?

    1.b. is a knock similar to a ping? how?

    1.c. in consideration of the port "knocked" on... is a port "knockable" even if its "stealthed"?

    1.d. when a port is stealth or closed,, is the data in the tcp packet rejected or can the port be publicly perceived to be stealth or closed and at the same time be aware of any string data that can be sent with this tcp knock.

    2. does anyone know if any of the firewalls discussed in this forum have some type of port knocking functionality built in?

    3. cryptographic hashes in the port knocking sequence sounds very interesting.... has anyone ever ran across a harware or software solution that handles this? got a link?

    4. can anyone recommend software for testing server, firewall, HW or software load capacity on your own?
    I used to know of a site site that would perform some great benchmarks of different hardware and server software configurations... but... it would always reflect an enterprise environment of sorts... I just thought it would be great to be able to atleast know how to test load capacity/user experience in-house for anything as simple as a blog, webpage or even dynamic site or db on my own cheap hardware... to fiddle around... In simple terms, did you ever flood your own network to find out how much it can take and how did you do it?

    Thank you for your time, attention and valuable info.
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It can do (TCP option :cool:, but I dont normally see a timestamp/this option

    Not really, you would not get a reply from a "Knock", but ICMP can be used to "Knock"

    A stealthed port is basically only a port that will not reply, so yes. Software will listen on port(s), accept the packets, but give no reply.

    A packet can be accepted/logged/examined but no reply sent to the packet. But this depends on the software being used.

    I have not seen this within a firewall, it is usually an addon/extra software but have only seen this mainly for linux etc (not windows). I did see a post that mentioned a addon for CHX for this, but never got around to look at it.

    It is not software I have taken time to look at. But you could look at:- http://www.portknocking.org/

    Sorry, I cannot give details of flooding software, this would be against the Forum TOS
     
  3. mikeo1313

    mikeo1313 Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    108
    Thats a great link!! thanks...

    You did mention a key phrase there... it depends on the software..
    I guess to take or utilize any type of port knocking to any level beyond anything that isn't simple it will take knowing tcp/ip and some programming..

    On that page there are a few pieces of software in different languages /w different features..

    This discussion reminded me of a company that considered tcp/ip to be "chatty" and had a solution for enterprises to improve network throughput by 50 or 200%.. unsure of any names since it was a while ago...


    As far as doing home tests and flooding.. I accept and understand if any of that information isn't allowed here.. but if it makes any difference... I didn't necessarily mean to bring up a harmful topic with bad intentions. I can imagine how anyone can use knowledge in a bad way.. But jik I was mis-interpreted I simply wondered how you can actually and percisely put the following quote to the test, from my previous wikipedia link in post 1:

    "...The software required, either at the server or client end, is minimal and can in fact be implemented as simply as a shell script for the server or a Windows batch file and a standard Windows command line utility for the client. Overhead in terms of traffic, CPU and memory consumption is at an absolute minimum..."

    So I just came to think, well, you can hypothesize a super fancy cryptographic hash knocker can definitly take more resources than a simple script, and even in both cases there will always be the consideration of capacity limit, since everything has its limits... Furthermore I then found it interesting to be able to tie that type of testing methodology into testing other things like a website or a database, at home, most importantly/interstingly on your own mix of equiptment & software, etc. or maybe thats hosted by a shared webhost... to get a percise idea of your hw & sw limitations with some type of statistical output that can give things such as response time and capacity based on certain user activities...

    I did find the site I alluded to in my first post, that tests enterprise systems:
    http://www.anandtech.com/IT/showdoc.aspx?i=2447&p=7

    It seems like they gave their site a facelift since the last time I saw it.. unfortunately I lost the link to an awesome test they did some time ago of the different databases out there... they did an awesome comparison and showed very percisely how the different OS's paired with different DB's performed as to giving simultaneous users and some other stats.

    In these links they talk of different standardized testing methodologies and/or actual results:
    http://www.networkcomputing.com/netdesign/server2.html

    http://www.tpc.org/tpcc/results/tpcc_price_perf_results.asp?resulttype=all

    Maybe sourceforge will have something, because I bet the vendors of some of those performance programs probably ask for some big bucks..

    I understand nobody asked for these links... but maybe someone would find them interesting and you'll better understand my last question had more ligitimate intentions, though I can understand/accept how the "flooding" term was a bad one and may allude to some questionable intentions/activities.

    Thank you
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Its more a case of if software can be found that is fully compatible, as there is a need for the "knock" software to intergrate with the firewall or server. There are probably firewalls around that can have Knock software (via scripts) but as I said, I have not really looked into this much, as most are for linux (not windows).

    I have found the link for the "Knock" software for CHX-I 3 [ http://sourceforge.net/projects/knockknock ] so I will try to find time over the next couple of days to have a look at this.

    Regards,
     
Loading...
Thread Status:
Not open for further replies.