[aeyes]

Most ordinary users will connect to the internet using a router provided by their ISP so port knocking does not work. Unless they plant the malicious code on the router - that would be even harder to detect.

[bobbob1921]

This is correct, almost all user side traffic is nat’d (masquerade/Src-nat) thus port knocking nor any ports externally being open, does not apply.

(NAT , in general, = how the multiple devices at your home all share a single public IP address from your ISP)

This article mainly addresses servers / public facing services (which do not make use of nat)