Michael Rash, Security Researcher

The Security Properties of Port Knocking and SPA

There has been a recent thread on the Security Focus Security Basics mailing list entitled Port Knocking Vulnerabilities. It seems that a common concern in this thread is to concentrate on whether a service that is protected by a default-drop packet filter and associated port knocking or Single Packet Authorization system can be detected remotely by an attacker. That is, people seem to associate the security of port knocking and SPA with whether or not a service protected by such a mechanism can be detected. Some in the thread make a case that protected services can be detected through timing attacks whereby packet latencies with surrounding systems are monitored for variances which indicate the existence of a particular service or services behind the packet filter. To this I responded:

   Timing attacks can come up with some really interesting information, I agree. However, I'm not aware of an application of timing attacks against default drop packet filters to answer the question "is service XYZ really running behind the filter". Sure, as an attacker, you can collect timing differences between round trip times to all sorts of devices that the target system may be communicating with, but I doubt if there is a reliable way to infer that a _particular_ service is listening as result. After all, the steady state of such as service may be that there are no sessions at all; only the occasional administrative session to run a couple of commands and then it exits. Note that I'm not questioning whether it is possible to determine if a _system_ exists; I'm questioning whether it is possible to determine if a particular service running on a system exists. To do so, such a timing attack would have to differentiate between "tcp port 22" communicating vs. "tcp port 23", etc. I'm skeptical, and if people think it is possible, I would like to see relevant papers that make this clear.

I find it interesting that people concentrate on whether a service protected by a default-drop packet filter and a port knocking or SPA system is detectable. Let's assume for a moment that such a timing attack is able to give an attacker a high probability that SSH is really running behind a port knocking or SPA system. Now, what would the attacker be able to do to exploit a vulnerability (zero day or otherwise) in the SSH daemon? It is easier to subvert the port knocking protocol (I wrote a paper on this here if anyone is interested:, but how about SPA?

Perhaps this discussion could be extended on Sebastien Jeanquier's online Single Packet Authorization forum.