Port Knocker

I read an article somewhere about a new security practice known as port knocking. It sounded like a smart idea. Its goal it to make it difficult for TCP/IP port scanners to detect which ports are active on a given machine. The technique it for the machine to initially respond to requests as if all network ports were closed. That way hackers that are doing scans assume the machine is tight and move on to another machine. However the machine is trained to look for a certain order of port checking, and when the correct sequence is followed, to open up a specific port.

For example, the machine may be configured to look for checks on ports 1200, 2556, and 10780. When that sequence is followed, the machine will report those ports as being closed. However it would then open a port such as 3995 to the requester of the previous three ports. This seems to be quite a scheme.

There are a good number of ports (65536?). That alone is not the number that counts though. The possible attempts that need to be tried grows astronomically when you consider that the system is looking for a specific set of port access attempts in the correct order. I will confess that I do not know the match to compute the total number of attempts that this space would include. But my guess is that it would be on the order of 65536 factorial. I think that constitutes as being secure.

The only drawback I might imagine from technique is if a malicious entity is scanning other network traffic that arrives at the machine. Then a smart program may be able to decipher the combination of port knocks required to open up a given port. At that point the security would be compromised. This may be a question I need to pose to the inventors of the port knocking algorithm. However I still think this is a great invention which rides on top of something that currently exists.