As businesses become increasingly dependent on computerized communications, businesses concurrently become increasingly vulnerable to attacks on the underlying computer infrastructure. The growing problems associated with security exploits within the architecture of the Internet are of significant concern to network providers. For instance, networks, and network devices are increasingly affected by the damages caused by Denial of Service (“DoS”) attacks.
A DoS attack is defined as an action taken upon on a computer network or system by an offensive external device that prevents any part of the network from functioning in accordance with its intended purpose. This attack may cause a loss of service to the users of the network and its network devices. For example, the loss of network services may be achieved by flooding the system to prevent the normal servicing for performing legitimate requests. The flooding may consume all of the available bandwidth of the targeted network or it may exhaust the computational resources of the targeted system.
A Distributed Denial of Service (“DDoS”) attack is a more aggressive action that involves multiple offensive devices performing an attack on a single target computer network or system. This attack may be performed in a coordinated manner by these multiple external devices to attack a specific resource of a service provider network. The targeted resource can be any networking device such as routers, Internet servers, electronic mail servers, Domain Name System (“DNS”) servers, etc. Examples of a DDoS attack include (but are not limited to): large quantities of raw traffic designed to overwhelm a resource or infrastructure; application specific traffic designed to overwhelm a particular service; traffic formatted to disrupt a host from normal processing; traffic reflected and/or amplified through legitimate hosts; traffic originating from compromised sources or from spoofed IP addresses; and pulsed attacks (which start/stop attacks). Further, it is to be understood DDoS attacks are typically categorized as: TCP Stack Flood Attacks (e.g., flood a certain aspect of a TCP connection process to keep the host from being able to respond to legitimate connections (which may also be spoofed)); Generic Flood Attacks (e.g., consists of a flood of traffic for one or more protocols or ports, which may be designed to appear like normal traffic which may also be spoofed)); Fragmentation Attacks (e.g., consists of a flood of TCP or UDP fragments sent to a victim to overwhelm the victim's ability to re-assemble data streams, thus severely reducing performance); Application Attacks (e.g., attacks designed to overwhelm components of specific applications); Connection Attacks (e.g., attacks that maintain a large number of either ½ open TCP connections or fully open idle connections); and Vulnerability Exploit Attacks (e.g., attacks designed to exploit a vulnerability in a victim's operating system).
A specific type of DDoS attack are attacks that manipulate the TCP window advertisement size of data packets to consume excessive resources of a client/server device receiving and responding to the data packets sent from an external client. Essentially, in such an attack, the attacking external device opens a TCP connection to a server device and requests a large file (via HTTP or other protocol). Once the server device starts sending the requested data, the attacker will set the window size (via the TCP acknowledgement) to zero (0) (or another nominal value). This keeps the connection active but prevents the server from sending additional data. In most TCP implementations this results in the operating system of the server device buffering large amounts of data. Typically, the space for the data in the server device is normally fixed, so an attacker can exhaust the resources of the server device by opening multiple connections. The attacker can ensure the server device does not reclaim these resources by periodically sending acknowledgements with a zero (0) window size or by periodically allowing the server device to send a small amount of data (e.g., by opening the window a small amount). This results in the server device treating these connections as active and so as not to not close them. It is further noted that there are several variations of such TCP attacks where instead of sending an advertised window size of zero (0), the attacker client device does not acknowledge data sent by the server device or only acknowledges a small amount of the data sent by the server device to consume the resources of the server device.
Thus, the architecture of the Internet makes networks and network devices vulnerable to the growing problems of DDoS attacks. Therefore, the ability to avoid or mitigate the damages of a DDoS attack, such as a TCP window attack, while preventing blocking of valid hosts, is advantageous to devices located in a protected network.