Port knocking - filtering duplicate UDP packets

daviddem · Sun Jan 08, 2012 8:07 am

Hello,

I am trying to setup port knocking on my 450G. I am seeing duplicate UDP packets at my WAN interface (to anticipate questions: yes, I am sure that I am sending only one UDP packet as per wireshark running on my test machine, and when I test from the LAN with the same laptop only one UDP packet arrives at the firewall). A bit of research tells me that duplicate UDP packets are a well-known network phenomenon related to the unreliability of the UDP protocol, and software is supposed to be able to deal with these.

Now how do I auto-drop these duplicates in the firewall, so that they don't mess up my knocking sequence? I am trying to use the "limit" feature. For example I set up my rule to accept only one packet per second and 0 burst packets. No chance. The two UDP packets (which arrive at the WAN interface almost simultaneously) still make it to the "port-knock" chain.

What am I doing wrong here? Looks like I am misusing the limit feature?

 8   ;;; Port knock test
     chain=input action=jump jump-target=port-knock src-address-list=!k-fail limit=1,0

MCT · Sun Jan 08, 2012 11:54 am

Don't bother trying to do it that way. The easiest way to do port knocking is using lists. When something hits the first port it's added to a first-knock list. When something hits the second port and the IP is in first-knock it gets added to second-knock. You can progress with this as far as you want. The last time I played with it I had the time out set for five seconds on the lists, and an hour for the authorized-knock though that hour would get reset each time a connection was made from that IP.

daviddem · Sun Jan 08, 2012 12:58 pm

I am using lists (inside the "port-knock" chain). However if you let the next knock be anything without locking and resetting the knocking process on a wrong knock, then potentially an attacker could knock at all the ports 3 times in 5 seconds and get through the process successfully just because the three correct knocks will have been among his 196,608 knocks. That is why I have decided to impose that the next packet has to be exactly the expected one (this is done in the port-knock chain).

Back to the OP question: what is it that I am doing wrong with that "limit" thing?

daviddem · Sun Jan 08, 2012 3:13 pm

OK my bad, the limit feature works fine, I had a "rogue" firewall rule that I used for testing yesterday and forgot to disable, and it was matching the same packets as the ones I put the limit on, giving me the wrong impression.

Also, I did not really have duplicate UDP packets, although these are in theory possible. This was also caused by the same bug

Well at least I did not completely waste my day, I learned a few things along the way...

Thanks for helping.

daviddem · Sun Jan 08, 2012 3:40 pm

FWIW, here is how I built my port-knock chain, to impose that each packet has to be in sequence and correct. If not, the src-ip is added to the k-fail list, which prevents another try for 30 seconds by the jump rule (no need for the limit that was in the OP):

8   ;;; Port knock test
     chain=input action=jump jump-target=port-knock src-address-list=!k-fail

The first knock gets the src-ip into the k-1 list for 10 seconds, the second knock into k-2, etc until k-4, where the ip is added for one hour.

I use the portknock app of Greg Sowell for the knocks. However I have noticed that when mixing tcp and udp knocks on my high latency satellite connection, they often arrive out of sequence at the target interface. So I modified his code to allow me to increase the delay between the knocks (increasing the delay too much is also a problem though, because the knocks then get mixed up with the automatic tcp retransmissions of the operating system, which happen when the syn packets are left unreplied to).

Anyway, here is the code for the port-knock chain. It's a long chain, but very few packets go through it thanks to the 30 seconds ban of the k-fail list. There may be ways to achieve the same more elegantly. (Chain starts at item #3 because I have logging rules in 1-2-3 for testing).

 3   ;;; if src-addr is on k-4 list, return
     chain=port-knock action=return src-address-list=k-4 

 4   ;;; if src-addr is on k-3 list and dst-port is udp 12345, add src-addr to k-4 list
     chain=port-knock action=add-src-to-address-list protocol=udp src-address-list=k-3 address-list=k-4 address-list-timeout=1h dst-port=12345 

 5   ;;; ---- if src-addr is on k-4 list, return
     chain=port-knock action=return src-address-list=k-4 

 6   ;;; ---- if src-addr is on k-3 list, add src-addr to k-fail
     chain=port-knock action=add-src-to-address-list src-address-list=k-3 address-list=k-fail address-list-timeout=30s 

 7   ;;; ---- if src-addr is on k-fail list, return
     chain=port-knock action=return src-address-list=k-fail 

 8   ;;; if src-addr is on k-2 list and dst-port is udp 54321, add src-addr to k-3 list
     chain=port-knock action=add-src-to-address-list protocol=udp src-address-list=k-2 address-list=k-3 address-list-timeout=10s dst-port=54321 

 9   ;;; ---- if src-addr is on k-3 list, return
     chain=port-knock action=return src-address-list=k-3 

10   ;;; ---- if src-addr is on k-2 list, add src-addr to k-fail
     chain=port-knock action=add-src-to-address-list src-address-list=k-2 address-list=k-fail address-list-timeout=30s 

11   ;;; ---- if src-addr is on k-fail list, return
     chain=port-knock action=return src-address-list=k-fail 

12   ;;; if src-addr is on k-1 list and dst-port is tcp 13579, add src-addr to k-2 list
     chain=port-knock action=add-src-to-address-list protocol=tcp src-address-list=k-1 address-list=k-2 address-list-timeout=10s dst-port=13579 

13   ;;; ---- if src-addr is on k-2 list, return
     chain=port-knock action=return src-address-list=k-2 

14   ;;; ---- if src-addr is on k-1 list, add src-addr to k-fail
     chain=port-knock action=add-src-to-address-list src-address-list=k-1 address-list=k-fail address-list-timeout=30s 

15   ;;; ---- if src-addr is on k-fail list, return
     chain=port-knock action=return src-address-list=k-fail 

16   ;;; if dst-port is tcp 24680, add src-addr to k-1 list
     chain=port-knock action=add-src-to-address-list protocol=tcp address-list=k-1 address-list-timeout=10s dst-port=24680 

17   ;;; ---- if src-addr is not on k-1 list, add src-addr to k-fail
     chain=port-knock action=add-src-to-address-list src-address-list=!k-1 address-list=k-fail address-list-timeout=30s

MCT · Sun Jan 08, 2012 11:59 pm

I am using lists (inside the "port-knock" chain). However if you let the next knock be anything without locking and resetting the knocking process on a wrong knock, then potentially an attacker could knock at all the ports 3 times in 5 seconds and get through the process successfully just because the three correct knocks will have been among his 196,608 knocks. That is why I have decided to impose that the next packet has to be exactly the expected one (this is done in the port-knock chain).

Back to the OP question: what is it that I am doing wrong with that "limit" thing?

Port knocking doesn't provide much in the way of security anyway. If an attacker knows you're port knocking then it's a very weak security measure anyway. What it is good at is protecting services from automated attacks or hiding services.

I use something similar to what you're doing though I'm using TCP and sending some strings that get picked up by a L7 rule. The only thing I use it for is to keep the input chain hidden from automated scans and such. I would have an allowed IP in there but I travel quite a bit and don't always have the same IP. The only thing it does is allow me to ping the router and access the vpn.

daviddem · Mon Jan 09, 2012 8:53 am

I am using lists (inside the "port-knock" chain). However if you let the next knock be anything without locking and resetting the knocking process on a wrong knock, then potentially an attacker could knock at all the ports 3 times in 5 seconds and get through the process successfully just because the three correct knocks will have been among his 196,608 knocks. That is why I have decided to impose that the next packet has to be exactly the expected one (this is done in the port-knock chain).

Back to the OP question: what is it that I am doing wrong with that "limit" thing?
Port knocking doesn't provide much in the way of security anyway. If an attacker knows you're port knocking then it's a very weak security measure anyway. What it is good at is protecting services from automated attacks or hiding services.

I use something similar to what you're doing though I'm using TCP and sending some strings that get picked up by a L7 rule. The only thing I use it for is to keep the input chain hidden from automated scans and such. I would have an allowed IP in there but I travel quite a bit and don't always have the same IP. The only thing it does is allow me to ping the router and access the vpn.

Is it so weak really? I mean to eavesdrop on your knocks the attacker must be "in the middle", between you and the router, no? I would think most attackers out there on the net are not. And as you said, yes it makes everything look locked up to casual scans, so we don't look like interesting targets to the bots or script kiddies.

MCT · Mon Jan 09, 2012 4:37 pm

If someone is really interested in attacking your network they'll find a way to start intercepting your traffic. That's the reason why it's not considered a strong security measure as once they intercept the knocking sequence any security it once provided is gone. That's not to say it isn't useful. just don't rely on it as your only security measure.

Port knocking - filtering duplicate UDP packets

Port knocking - filtering duplicate UDP packets

Re: Filtering duplicate UDP packets

Re: Filtering duplicate UDP packets

Re: Filtering duplicate UDP packets

Re: Filtering duplicate UDP packets

Re: Filtering duplicate UDP packets

Re: Filtering duplicate UDP packets

Re: Port knocking - filtering duplicate UDP packets

Who is online