TCP stealth
In the field of information technology , TCP Stealth is an extension of the TCP protocol that is compatible with the TCP standard. TCP Stealth hides open ports from strangers who run a port scanner such as Zmap or Nmap to find computer systems that allow intrusion. This is to protect servers whose existence is not made public.
TCP Stealth embeds an authentication character in the client's connection request. The initial sequence number (ISN) in the TCP-SYN segment is replaced by a number formed in a one-way process. This is derived from several components, including a secret key available to both parties. After receiving the segment, the server uses this number to decide whether to respond.
The procedure goes beyond previous protective measures. With previous port knocking techniques, inquirers authorize themselves by knocking. If an attacker controls all paths between client and server, the procedure can be circumvented by taking over the traffic after authorization as “man in the middle” . To prevent this, TCP Stealth optionally transmits a cryptographic checksum ( hash ) of the first data bytes sent by the client after the handshake in the first segment .
TCP Stealth can also be used without changing the operating system source code with the help of the libknockify library, which is available on the project website. This acts as a wrapper for the functions of the network API.
The specification was submitted as a draft to the IETF on August 15, 2014 after it became public how the British secret service systematically misused port scans in routine procedures in 27 countries.
The authors of the specification are researchers from the Technical University of Munich , Jacob Appelbaum from the Tor project and Holger Kenn from Microsoft .
See also
Web links
- Knock - Patches for TCP stealth recording in Linux and FreeBSD kernels
- Master's thesis on TCP stealth
Individual evidence
- ↑ Christian Grothoff, Julian Kirsch (iX): Well locked - invisible servers with TCP stealth