With advances in integrated circuit, microprocessor, networking and communication technologies, increasing numbers of devices, in particular, digital computing devices, are being networked together. Devices are often first coupled to a local area network, such as an Ethernet based office/home network. In turn, local area networks are interconnected together through wide area networks, such as ATM networks, Frame Relays, and the like. Of particular interest is the TCP/IP based global inter-networks—the Internet.
To ensure successful communication over the Internet, it is important to prevent undesirable network traffic. For example, the use of denial of service (DoS) attacks has grown over the years to prevent legitimate traffic from reaching its intended destination. Accordingly, the utilization of effective preventative measures has become increasingly important.
One preventive measure is the use of a monitoring device to inspect network traffic before it reaches an intended destination. If it appears that the content has originated from a malicious source, then the traffic can be prevented from reaching the intended destination.
Nevertheless, some attacks may be difficult to detect by inspecting source traffic. For instance, one commonly used approach to attacking DNS servers involves sending a large number of malformed domain name queries to a given DNS server. It may not always be possible to detect that the traffic is coming from a malicious source. This is especially true if the source is a legitimate source that has been hijacked by a malicious actor. Therefore, what is needed is a way to detect traffic originating from a malicious source through the inspection of traffic other than source traffic.