Rich Pieri wrote: > Tom Metro wrote: >> While I can imagine some implementations of port knocking, where failed >> knock sequences shut down a service, there are certainly other >> implementations where that is not the case. > > That's precisely what I mean. Combine port knocking, automatic IP block, > and IP address spoofing and you have a very easy denial of service. I am > aware that there are workarounds to this...
Not merely workarounds...it's trivial to design a port knocking scheme that is resistant to DoS attacks. Some of the more interesting port knocking schemes actually use cryptographic payloads in the packets, rather than merely accessing a sequence of ports. You fire a packet at an unresponsive port (could even be contained in an ICMP ping), and if the server likes what it sees, it opens a port or starts a state machine to track additional knocks. The server can rate limit these packets, so the machine won't become overwhelmed. OpenVPN optionally makes use of a similar technique, where it first looks for a packet with a known key, and doesn't allocate any connection resources until it first sees that. Of course any public facing server is subject to DoS attacks if the sender can overwhelm your inbound bandwidth. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
