Knowing the Secret Port Knock Can Open Your System

Good Guys and Bad Guys Are Using This Method To Open Ports

Hacker using computer at night
Westend61/Getty Images

Ideally you want to restrict and control the traffic that is allowed into your network or computer. This can be done in a variety of ways. Two of the primary methods are to make sure that unnecessary ports on your computer are not open or listening for connections and to use a firewall- either on the computer itself or at the network perimeter- to block unauthorized traffic.

By monitoring traffic and manipulating firewall rules based on events it is possible to create a sort of "secret knock" that will open the gate and let you through the firewall.

Even though no ports may be open at the time, a specific series of connection attempts to closed ports may provide the trigger to open a port for communication.

In a nutshell, you would have a service running on the target device which would watch network activity- typically by monitoring firewall logs. The service would need to know the "secret knock"- for example failed connection attempts to port 103, 102, 108, 102, 105. If the service encountered the "secret knock" in the correct order it would then automatically alter the firewall rules to open a designated port to allow remote access.

The malware writers of the world have unfortunately (or fortunately- you'll see why in a minute) begun to adopt this technique for opening backdoors on victimized systems. Basically, rather than opening ports for remote connection that are readily visible and detectable, a Trojan is planted which monitors the network traffic.

Once the "secret knock" is intercepted the malware will awaken and open the predetermined backdoor port, allowing the attacker access to the system.

I said above that this may actually be a good thing. Well, getting infected with malware of any sort is never a good thing. But, as it stands right now once a virus or worm starts opening ports and those port numbers become public knowledge the infected systems become open to attack by anyone- not just the writer of the malware that opened the backdoor.

This greatly increases the odds of becoming further compromised or of a subsequent virus or worm capitalizing on the open ports created by the first malware.

By creating a dormant backdoor that requires the "secret knock" to open it the malware author keeps the backdoor secret. Again, that is good and bad. Good because every Tom, Dick and Harry hacker wannabe won't be out port scanning to find vulnerable systems based on the port opened by the malware. Bad because if it's dormant you won't know it's there either and there may not be any easy way to identify that you have a dormant backdoor on your system waiting to be awakened by port knocking.

This trick can also be used by the good guys as pointed out in a recent Crypto-Gram newsletter from Bruce Schneier. Basically an administrator can completely lock down a system- allowing no external traffic in- but implement a port-knocking scheme. Using the "secret knock" the administrator would then be able to open a port when necessary to establish a remote connection.

It would obviously be important to maintain the confidentiality of the "secret knock" code. Basically, the "secret knock" would be a "password" of sorts which could allow unrestricted access to anyone who knew it.

There are a number of ways to set up port knocking and to ensure the integrity of the port knocking scheme- but there are still pros and cons to using port knocking a security tool on your network. For more details see How To: Port Knocking on LinuxJournal.com or some of the other links to the right of this article.

Editor's Note: This article is legacy content and was updated by Andy O'Donnell on 8/28/2016.