If the attacker is sniffing the connection anyway (if they're not, then why be sneaky in the first place?), then they'll see the SYN packets.
What exactly is the difference between "the SSH port is filtered, yet right after a SYN goes to port A, then B, then C, the SYN to port 22 is suddenly answered" and "the SSH port is filtered, yet right after a UDP packet with this content, SYN from that address are accepted"?
They're both a secret being sent in plain text, after which the SSH port is open for a bit.
Anyone who's sniffing looking for secret UDP packets is also sniffing looking for modulated SYN packets, because it's still just sniffing. They already know that "something's up", because they see the returning SYNACK. Something made the port unlock.
So yes, it's indistinguishable from a non-modulated SYN, in the same way that a UDP packet with a password is indistinguishable from an unrelated UDP packet without a password.
> the eavesdropper can't even distinguish such port-knocking SYN packets from any other random SYN packet that happened to be routed to the host (there is e.g. a lot of port scanning going on around the Internet)
But isn't the goal to get past the firewall?
> It's encrypted, so even if the eavesdropper could distinguish such a packet, they can't learn the requested port; and they can't even replay this packet, so... what's exactly wrong with it?
Again, this is a completely different question. There are two distinct aspects to port knocking:
1. Generating the "token" (often a fixed password, but can as you say be encrypted, or a one-time pad).
2. Send that "token" to the server, to open the door.
Yes, you should generate a secure token. That adds security. It should not be replayable.
But why are you sending that token using modulated SYN packets? That's like if you had to enter your google account password in morse code. It's just more inconvenient, and the secret is in the password, not the modulation. Anybody who can sniff you entering your google account password can sniff morse code just as well as if you use ASCII.
And I don't buy that using modulated SYN packets makes you disappear in the background noise of port scans. It's not exactly hard to detect the pattern "after N unanswered SYNs from A to B on apparently random ports, A then connects to B on port 22, successfully". You might as well just send a UDP packet. It'd make your (apparently open) firewall WAY less of a footgun (for modulated SYN packets, the SYNs have to actually arrive).
If the attacker is sniffing the connection anyway (if they're not, then why be sneaky in the first place?), then they'll see the SYN packets.
What exactly is the difference between "the SSH port is filtered, yet right after a SYN goes to port A, then B, then C, the SYN to port 22 is suddenly answered" and "the SSH port is filtered, yet right after a UDP packet with this content, SYN from that address are accepted"?
They're both a secret being sent in plain text, after which the SSH port is open for a bit.
Anyone who's sniffing looking for secret UDP packets is also sniffing looking for modulated SYN packets, because it's still just sniffing. They already know that "something's up", because they see the returning SYNACK. Something made the port unlock.
So yes, it's indistinguishable from a non-modulated SYN, in the same way that a UDP packet with a password is indistinguishable from an unrelated UDP packet without a password.
> the eavesdropper can't even distinguish such port-knocking SYN packets from any other random SYN packet that happened to be routed to the host (there is e.g. a lot of port scanning going on around the Internet)
But isn't the goal to get past the firewall?
> It's encrypted, so even if the eavesdropper could distinguish such a packet, they can't learn the requested port; and they can't even replay this packet, so... what's exactly wrong with it?
Again, this is a completely different question. There are two distinct aspects to port knocking:
Yes, you should generate a secure token. That adds security. It should not be replayable.But why are you sending that token using modulated SYN packets? That's like if you had to enter your google account password in morse code. It's just more inconvenient, and the secret is in the password, not the modulation. Anybody who can sniff you entering your google account password can sniff morse code just as well as if you use ASCII.
And I don't buy that using modulated SYN packets makes you disappear in the background noise of port scans. It's not exactly hard to detect the pattern "after N unanswered SYNs from A to B on apparently random ports, A then connects to B on port 22, successfully". You might as well just send a UDP packet. It'd make your (apparently open) firewall WAY less of a footgun (for modulated SYN packets, the SYNs have to actually arrive).