General discussion


Be aware of potential threats from port knocking

By MaryWeilage Editor ·
Do you have any experience with port knocking and the types of back doors associated with it? Do you frequently use freeware or shareware? Do you agree that it's potentially insecure? Share your comments about protecting your network from port knocking, as discussed in the March 19 Security Solutions e-newsletter.

If you haven't subscribed to our free Security Solutions e-newsletter, sign up today!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by EdLockett In reply to Be aware of potential thr ...

I agree with all the points you make. I think we will have to watch closely for this threat in the future. However there is no need to be too worried - I think you should have mentioned that such scepticism towards software that may contain trojans need only really apply to machines connected directly to the internet. Inside a firewall of course a machine would be beyond reach of 'port knocking' activity. I think that current personal firewalls would protect against this threat already. So such a policy is definitely important for firewalls, and machines in the DMZ, but for others it will be less important.
I would imagine that it would be possible for firewall products / antivirus / anti-malware programs to check for processes that may be 'listening' for the port knocks you describe. Hopefully we will see this kind of functionality being integrated into products soon, to protect machines that are in the DMZ.

Collapse -

Agree 100%

by Mike Mullins In reply to Firewall

Thanks for filling in the blanks Ed. Our internal networks have gotten more secure. However, it's the home user with little or no firewall protection and the machines in our DMZ that aren't filtered properly that are poised to do all the damage.
Mike Mullins

Collapse -

Need to educate casual users

by EdLockett In reply to Agree 100%

Yes, the biggest threat to networks as a whole is always going to be machines belonging to users not up to speed with security. There needs to be a way to get a simple message to the masses : get a firewall! I wonder if anybody is in the position to commission TV ads or suchlike to get the idea across?

Collapse -

Cover your tracks

by toreador In reply to Be aware of potential thr ...

I use free and share-ware all the time. After the initial download I scan the file with my A/V software. After the app is installed I run Adaware AND Spy-Bot to see what "extras" were put on my PC in the process. A fun little exercise is to run the spy-killers right before the install so you know exactly what was deposited by the free/share application when you run it afterwards. Most of the time they do not add any unwanted spies but sometimes...

Collapse -

true but.....

by MaxPower1111 In reply to Cover your tracks

As the author pointed out. it can lie dormant until the perpotrator activates it. Suppose it's brand new and the perpotrator distributes 10,000 copies of a given freware containing such a payload. AV and anti-spyware does not yet have a signature file to recognize this particular string of code. then 2 weeks down the road he/she activates all 10,000 at once. Guess what.....too late. what's done is done.

Collapse -


by walker_ In reply to Be aware of potential thr ...

I'm not a network admin so I'm coming at this from a home user point of view. I use a firewall, keep my anti-virus up to date, and am generally a security minded individual who tries to stay educated about the latest threats and how to combat them.
I'm troubled by something in the article - how can a dormant trojan be activated by port knocking if it's not listening on any ports?

Collapse -


by MaxPower1111 In reply to Curious

perhaps some kind of passive sniffing. If you install a sniffer on your machine and take a capture, you'll see traffic hitting you on a number of different ports. This does not mean that your OS is "listening" on these ports. but the sniffer still sees the contents of the packet and reads what port (TCP/UDP) it is destine for.

Collapse -

what happen

by pberg In reply to Be aware of potential thr ...

I have MaFee:(virus scan) (firewall plus) (privecy service) (anti spam) (secure IE)and last week I was infected 2 times by virus: NetSky.c@mm,could it be port knocking.???? Iam still wondering, I hope that this can be useful to others who have security tools.

Collapse -

by Tin Man In reply to what happen

How often do you check for updates? The many variants are coming out weekly. If you use automatic update, check the frequency. A default could be weekly, or even monthly, and that's not frequent enough anymore.

Also, there is a time lag (albiet short) between discovery and the various vendors adding it to their signature files. Unfortunately, we can only depend on vendors before the thing runs rampant. I routinely check my signatures at least every other day. If it's more than 3 days old, I will do a manual check and update if new one is available (i.e., came out between the automated updates).

Collapse -

by Tin Man In reply to Be aware of potential thr ...

The hardware firewalls I have used allow one address (computer), behind the firewall, in a DMZ. By setting a non-existent ip address in the DMZ, port scanners will not get any response, open or closed. The scan utility times out without a response and moves on. Even a "closed" response is a hit on a valid address and the scanner may try again later in case it is open then.

A "Shields Up" scan at will check your ports. By default, it checks the first ~1053 ports (most common). You can also check specific ports and other things. If it doesn't get an "open" or "closed" on the ports, you get a "Stealth" rating.

Related Discussions

Related Forums