Skip to content

Retracing a historical issue: the exposure

One of the weaknesses of TCP/IP is still not solved today: the exposure of services.

In the 1980s, DARPA deployed the IPv4 and TCP protocols, which would become the standard for communications on the Internet and which are still mostly used today, both on the global network and within private networks. Back then, the purpose was, among other things, to provide routing, data integrity and congestion control functionalities. It was not yet a question of security because the ARPANET, the ancestor of the Internet, was used by researchers: all its users were trusted and communicated in a disciplined manner because the initial idea of such a network was to interconnect American research centers in order to facilitate the sharing of resources and data.

When TCP/IP is developed, it is intended for a trusted network. A few years later, the number of communities and networks connected to the ARPANET increased to such an extent that the DCA, which managed the network at the time, began to worry about the difficulty of identifying all its users. A few more years later, the network opened to commercial traffic. This is a decisive turning point because, whereas the ARPANET had not been considered a hostile network until then, it became one at this very moment.

The 90's thus experienced the emergence of attacks on TCP/IP protocols, already known in theory, but never yet put into practice. IP address spoofing, TCP session theft, denial of service by flooding SYN requests, or even communication spying, highlight the weaknesses of the historical Internet protocols. In response, the protocols were modified to be more robust against these attacks, or other higher layer protocols such as SSL were introduced to solve the problems related to the confidentiality of flows. TCP/IP remained however the standard.

Despite these security additions, one of the weaknesses of TCP/IP is still not solved today: the exposure of services. In order to reach a service on a TCP/IPv4 network, a user must forge packets containing an IP address (encoded on 4 bytes) and a port (encoded on 2 bytes). Thus, just over 4 billion IP addresses are available to identify a machine on a network, and for each of them, 65535 ports identify a hosted service. In theory, an attacker seeking to list all the services exposed on the Internet must therefore generate and transmit a number of network packets on the order of 10^14. In practice, an attacker can list a large number of exposed services by detecting available machines through a discovery scan, and then querying ports with values less than 10000. With just a few network packets, it has always been possible to search and interact with potentially vulnerable and exposed services. Such exposures have been, and still are today, exploited by attackers to compromise machines and networks.

"Such exposures have been, and still are today, exploited by attackers to compromise machines and networks."