TCP Stealth hides open ports

TCP Camouflage

Conclusions and Outlook

TCP Stealth looks pretty promising. The project website has comprehensive and useful documentation. Sample programs and prepared patches make it easy to get started. In contrast to alternatives such as SilentKnock, TCP Stealth has far less trouble with Network Address Translation, which makes it more attractive. The integrity check to prevent man-in-the-middle attacks is also something that is not to be sniffed at.

Inquisitive users could also take a look at the Bridge SPA [19] or Knockknock [20] projects. What remains at the end of the day is the limitation to TCP as the transport protocol. The project presented here could take a decisive step forward if it does manage to make it into the Linux kernel.


  1. Netcat:
  2. Nmap:
  3. Port knocking implementations;
  4. "Remote Access Security with Single-Packet Port Knocking" by Juliet Kemp, Linux Magazine , June 2008:
  5. "The Sys Admin's Daily Grind: Knockd" by Charly Kühnast, Linux Magazine , September 2008:
  6. "The Sys Admin's Daily Grind: Single-Packet Authentication" by Charly Kühnast, Linux Magazine , October 2008:
  7. Project Knockd:
  8. Stealth draft:
  9. IETF:
  10. TU Munich:
  11. TCP Stealth project website:
  12. Julian Kirsch master's thesis:
  13. SilentKnock:
  14. Covert channels:
  15. MD5:
  16. Discussion on the kernel mailing list:
  17. New program version:
  18. TCP Stealth and OpenSSH:
  19. Bridge SPA:
  20. Knockknock:

The Author

Dr. Udo Seidel is a teacher of math and physics. After completing his Ph.D., he worked as a Linux/Unix trainer, system administrator, and senior solution engineer. He is now the leader of a Linux/Unix team at Amadeus Data Processing GmbH in Erding, Germany.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Port Knocking
    To ensure that the data on your computers remains accessible only by you and those with whom you want to share, we look at the advantages of combining TCP Wrappers and port knocking.
  • Protect Your Servers with Nmap

    If you've ever had to test the security of your servers, you've almost certainly come across the ever-flexible Nmap (Network Mapper) – used by sys admins to help protect their servers and diagnose problems.

  • Customizing PortSentry

    Do you have a sentry to keep an eye on your servers? We’ll show you how to customize PortSentry’s response to suspicious activity.

  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

  • News for Admins
    In the news: Code execution flaws in PHP; ESET finds malware that targets political activists; bluetooth vulnerability makes spying easy; and open source webmin had backdoor for more than a year;
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.