Hiding Devices Using Port Knocking or Single-Packet Authorization (SPA)

Invisibility sounds like something out of a fantasy novel, but if done properly, we can use it to hide computers, gateways, or individual PCs by implementing specific firewall techniques like port knocking or single-packet authorization (SPA).

The effectiveness of the technique has a lot in common with the traditional fantasy concept of invisibility and will be more effective in some situations and less effective in others.

Here we’ll discuss how port knocking and SPA work, best use cases, and how to use them.

Why Hide Servers?

Early in the attack process, attackers scan networks for vulnerabilities. They use tools and commands, such as nmap, to scan for visible devices on the network. Any device that responds with an IP address becomes a target and attackers will seek to understand more about the device.

Attackers scan devices for open ports, operating system information, and to determine the type of device associated with the IP address: server, PC, network equipment, or peripheral device (printer, WiFi-connected camera, etc).

The resulting information determines the priorities and the types of methods an attacker will pursue. For example, if port 23 is open on a server’s firewall, then the device may be vulnerable to attacks that exploit the Telnet protocol.

If we obscure an IP address, the attacker may overlook the hidden device. Even if the attacker knows the IP address, if we obscure the open ports, we can slow down or discourage the attack.

Also read: Top Vulnerability Management Tools

How Do Port Knocking and SPA Hide a Server?

Port knocking and single-packet authorization (SPA) add obfuscation-as-security to an existing security stack. Authorization must first be obtained before the server or gateway will respond to a packet request and until then, the server will “default drop” return packets that would normally indicate an active IP address or open port. The device will be rendered invisible to network scans.

Port knocking requires an admin to establish a daemon to watch for a predetermined sequence of packets that must be delivered by the appropriate protocols in order to open a communication port. For example, we could set up the required sequence as a 128 bit packet sent to TCP port 434, UDP port 6622, and TCP port 22122 in order to open the SSH protocol for communication on port 22.

Security can be improved further by making the sequence more complex. For example, we can specify specific times between packets, different packet lengths, specific IP ranges from which knocks will be accepted, etc.

Similarly, SPA installs a service, such as the open-source fwknop service, on a server or gateway to listen for specific instructions in an encrypted packet. The service will decrypt the packet for inspection and only respond if the single encrypted packet sent contains all the information required, such as the protocol and port numbers requested for communication. SPA is often integrated into zero trust solutions.

Once communication has been established with a specific IP address, only the sender from that specific IP address will be authorized and incorrect requests from other IP addresses will continue to be dropped. SPA security can be enhanced further by adding rules to the server such as requiring specific source ports from the sender.

Also read: Best Zero Trust Security Solutions

Port Knocking and SPA Implementation Risks

While powerful techniques, port knocking or SPA should only be used as an additional layer to traditional security and not as a replacement. These methods also require expert setup to ensure that these daemons remain active.

For example, if the port knocking daemon crashes, the server will no longer respond – even to the correct code! A second daemon should be watching over the Port-Knocking daemon to restart it if necessary.

Additionally, these technologies are strongest in obscurity. While we can use this technology on many devices, the advantage is lost on commonly used devices.

We can imagine this just as if it was invisibility in a fantasy setting. It doesn’t matter how invisible a person might be if everyone continues to talk to the void and hand it packets – an attacker will still know it is there to be attacked.

Similarly, if we use port knocking on VPN servers used by many different remote devices, this will increase the odds that a corrupted user device may render the defense useless. One bad click can give an attacker access to the endpoint from which the attacker will extract the server IP address and possibly even the knock requirements.

Use Cases for Hiding Servers

Port knocking and SPA have two primary use cases: obscuring assets and buying time in an attack.

Obscurity

The best use cases for this technique apply to situations where obscurity can be an advantage. Devices that have high value, lower usage rates, or access to a specific sub-group of employees make the most of a solution that introduces additional obscurity.

Some examples:

  • An evidence server on the network for the county’s sheriff department
  • A cloud-based data server storing backups or security log files
  • A Windows XP device running specialized equipment in the imaging department of a hospital

Stalling for Time

Although much of the security advantage comes through obscurity, the port-knocking protocol or SPA can be more broadly used as a deterrent. For example, we might accept that our internal DNS server will be quickly detected by an attacker, but we might only allow the DNS port to respond to DNS queries and drop all other commands until the user is authorized.

While an attacker may locate the server, adding the additional hurdle of determining the protocols and the sequences necessary to unlock the server will take more time. More time may allow our security team to notice the attack in progress or even encourage the attacker to go find an easier target.

Security in Combination

Port knocking and SPA become even more powerful when combined with other security options. For example, in addition to implementing SPA on a sheriff department’s evidence server, we can add a honeypot named “evidence server.”

The typical attack scan will miss the hidden server and lead to a focus on the honeypot. Cybersecurity alerts can be established on the honeypot and basic monitoring will notice anyone looking at the wrong server. Speed of response is critical to deterring attackers and this combination provides early warning.

Time to Turn Invisible?

The biggest hurdle to implementing port knocking or SPA is the technical challenge. Poorly done, you might make a server unreachable instead of just invisible to unauthorized users. This is a high price for failure for a solution with a narrow use case. Between this risk and the time required for expert installation, many IT managers pass on these techniques.

However, port knocking and SPA provide extremely useful options for adding security to specific systems and enhancing the effectiveness of honeypots. Even though they may cost more to implement and cannot be used effectively on all devices, both port knocking and SPA should be part of a comprehensive security arsenal for organizations of all sizes.

See our list of the best Active Directory Security Tools

Chad Kime
Chad Kime
Chad Kime combines his Electrical Engineering and MBA degrees to translate between technical language and common English. After managing over 200 foreign language eDiscovery projects, Chad values practicality over idealism. He has written on cybersecurity, risk, compliance, network security hardware, endpoint monitoring software, anime DVDs, industrial hard drive equipment, and legal forensic services.

Top Products

Related articles