Since the advent of the ARPANET and then the Internet, more and more computers and other devices have been connected to a TCP/IP based network. TCP/IP is a set of protocols. In the field of telecommunications, a protocol is the set of standard rules for data representation, signalling, authentication, error detection and other features required to send information over a communications channel. Not all protocols provide all of these features. Protocols with different features may be layered on top of one another to provide a more robust feature set. Examples of individual protocols are the IP protocol and the TCP protocol. These protocols are often used together and referred to as the TCP/IP protocol.
The fundamental unit of information carried in a TCP/IP network is the packet. A packet consists of a header and a user data area. A good analogy is to consider a packet to be like a letter; the header is like the envelope, and the user data area is whatever the person puts inside the envelope. The IP portion of TCP/IP is the Internet Protocol. IP protocol information is carried by an IP header in an IP packet. The IP header is logically partitioned into a number of fields. The fields of the IP header contain network device address information, IP protocol control information and user data information. The TCP portion of TCP/IP is the Transmission Control Protocol. Using TCP, networked devices can create connections to one another, over which they can send data. The TCP protocol guarantees that data sent by one endpoint will be received in the same order by the other, and without any pieces missing. The TCP protocol also distinguishes data for different applications (such as a Web server and an email server) on the same device. TCP protocol information is carried by an TCP header. The TCP header is partitioned into a number of fields. The fields of the TCP header may contain application information, TCP protocol control information and user data information. Also contained within many TCP/IP packets is user data. User data is the area of a packet that contains the information from the user or device that is being communicated between the devices. Examples of user data are part of all of an email message, part or all of a web page or other applications. Some protocols do not allow user data during certain phases of the protocol. User data is not allowed during connection establishment of the TCP protocol.
As the Internet has grown, so have the attacks of hackers and others who try to disrupt the network through denial of service (DOS) and distributed denial of service (DDOS) attacks, or who attempt to gain unauthorized access to computers and devices.
The first Internet attached devices conformed to the original TCP/IP protocol specifications. When a TCP connection request (otherwise known as a TCP-SYN) was received on a TCP port that no application was listening to, the receiving device sent a connection reject message back to the TCP connection initiator. Hackers quickly learned that they could build port scanners that would scan the entire range of ports on an IP address and learn from the list of successful connection attempts and rejected attempts, what applications were running on the device having the scanned IP address. Over time, network device profile databases were developed that could determine the underlying operating system, vendor and patch level based upon the responses from scanned device.
To combat this, many computer and Internet device vendors changed the behavior of network connected machines that receive connection requests on TCP ports that do not have an associated listening application. The new behavior discards the TCP connection request, without sending a connection reject message to the connection request originator. This behavior is known as “black-holing.” This behavior helps because instead of getting a distinct positive or negative acknowledgment, the scanning device must decide how long to wait before timing out the connection request. Because the scanner must also take into account network congestion and other network delays, this timeout is usually on the order of seconds. Timing out each request takes more time and causes the scans to take much longer. Although this does prevent a scanning device from learning what is not there, the scanning device will still receive a positive acknowledgment in the form of a connection establishment response for those TCP ports that have an associated application.
There are mechanisms that can authorize incoming TCP connection requests based on the initiator's IP address. This approach fails in two ways; first it does not work with dynamically allocated IP addresses, such as those that are used in most dial up modem pools, because all of the IP addresses in the pool must be considered valid addresses for this to work. This approach also fails when the initiator lies behind a network address translation (NAT) device, because this changes the initiator's IP address.
None of the above solutions provides a mechanism to authorize the initiator solely on the received TCP connection request without relying on the initiator's IP address. The development of such a mechanism would constitute a major technological advance, and would satisfy long felt needs and aspirations in the computer networking and Internet industries.