Port knocking works on the concept that users wishing to attach to a network service must initiate a predetermined sequence of port connections or send a unique string of bytes before the remote client can connect to the eventual service. In its most basic form, the remote user’s client software must first connect to one or more ports before connecting to the final destination port.
For example, suppose the remote client wants to connect to an SSH server. The administrator configures the port-knocking requirements ahead of time, requiring that connecting remote clients first connect to ports 3400, 4000, and 9887 before connecting to the final destination port, 22. The administrator tells all legitimate clients the correct “combination” to connect; malicious hackers wishing to connect to the SSH service will be denied access without the combination. Port knocking will foil even port-scanning and banner-grabbing enthusiasts.
Because any combination of ports and transport protocols can be used, the number of possible sequences that an attacker would have to guess is high. Even if the hacker knew only three port knocks were involved, as in the very simple example above, with 64,000 possible TCP, UDP, and ICMP (Internet Control Message Protocol) ports to choose from, the resulting set of possible combinations for the hacker to try runs into the millions. Port scanners will be frustrated because port knocking uses closed ports to do the listening (more on this below).