shimmer – port knocking alternative

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called Single Packet Authorization exists, where only a single “knock” is needed, consisting of an encrypted packet.

The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.

shimmer is a pair of small programs (a client and a server) that provide an alternative to port knocking program such as tumbler and are used to hide a valuable port (such as a hidden web server or SSH) on a public IP address.

Shimmer is a Perl implementation of my C3PO (Cryptographically and Constantly Changing Port Opening) proposal that hides a critical server (such as SSH) behind an ever changing set of ports.

Shimmer works by cryptographically changing a set of 16 ports (one of which forwards to the real service, and 15 others that lead to a trap to blacklist attackers). The 16 ports change every minute frustrating an attacker, but a legimitate user with access to a secret shared between the client and server can determine the real port, avoid blacklisting, and get a connection.

Since both client and server must be time synchronized to the nearest minute shimmer actual holds 48 ports open at a time (16 for the previous minute, 16 for the current minute and 16 for the next minute) to avoid problems due to small amounts of clock drift.