The Shell in the Ghost

"grayfox deviant art" I recently came across an incredible concept and implementation by Michael Rash. It’s called fwknop which stands for Fire Wall KNock OPerator, wait though, don’t stop reading yet!!

Before you close the browser in utter disgust at me suggesting port-knocking in 2017, this isn’t just port knocking, in fact it’s a shame it’s even called that as it leads to confusion with certain people mistaking it for security-thru-obscurity

Allow me to paraphrase/describe what the concept is here

"fwknop flow"

The crux to this is leveraging the fact that UDP packets don’t require a handshake, and also that fwknopd is sniffing instead of filtering packets hence there is little opportunity for side channel attacks

For any attacker scanning this box it essentially doesn’t have any ports open. Coupled with the cryptography aspect to SPA, it wouldn’t be a good use of an attacker’s time to try brute force or even perform any level of reconaisance, as they just don’t get any feedback from the box. I think this could be a great addition to hardening a cloud bastion, see my previous post for details on that setup in Google Cloud Platform

Makes me wonder how many of these “stealth-bastions” live out there 🤔
Go find some and tell me about how you did it!!