With the advent of the large scale interconnection of computers and networks, information security has become critical for many organizations. Both active and passive attacks on the security of a computer or network have been developed by “hackers” to obtain sensitive or confidential information, or to inhibit the use or operation of network resources. Active attacks involve some modification of the data stream, or the creation of a false data stream. One active attack that has been successfully employed by “hackers” is the denial of service (DoS) attack. A denial of service attack prevents or inhibits the normal use or management of communications facilities, such as disruption of a server or an entire network, by overloading it with messages so as to degrade its performance.
One conventional DoS attack involves Transmission Control Protocol (TCP) SYN packet flooding. The protocol for TCP connection requests requires that a server complete a three way hand-shaking process with the client when a SYN packet is received. When the SYN packet is received, the server returns an acknowledgement to the originating client to grant the connection request. The server waits for the client to acknowledge the server's reply to the SYN connection request. The time waiting for the client's acknowledgement ties up resources and, if the server is flooded with multiple SYN connection requests, connection requests from authentic clients are denied because the server's resources are exhausted handling the flooded SYN connection requests. Other conventional DoS attacks use similar “flooding” techniques for overwhelming network or network device resources.
Ongoing research has been directed towards developing techniques for defending against DoS attacks. To develop such defensive techniques, however, an understanding of the scenarios that cause a denial of service at a network or network device would be helpful. With an understanding of the causes of any particular denial of service at a network or network device, defensive techniques can more readily be developed and implemented.
Therefore, there exists a need for systems and methods that can selectively apply DoS attacks on networks or network devices, and which can monitor such attacks and accumulate data that can be used to determine which attacks actually cause a denial of service. Such data can be analyzed to determine the most effective DoS attacks against any particular network resource so that defensive countermeasures can be implemented.