The present invention relates to computer network security and, more particularly, to a method of mitigating Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks.
In network computing, a Denial-of-Service (DoS) attack is an attack whose purpose is to disrupt the normal operation of a computer system or of a computer network. In many cases, such attacks are carried out by overwhelming the computer system or the computer network with a large number of packets, connections or requests. Some of these attacks are carried out from multiple sources, and so are called Distributed Denial-of-Service (DDoS) attacks.
For such attacks to succeed it suffices to overload just one of the network components that lead to the server whose service is to be disrupted. Such a network component could be a router, a switch, a load balancer or a security gateway.
Furthermore, some of the traffic generated by the sources of the attacks might be allowed under conventional security policies and so be forwarded to the targeted servers. Such traffic could then overload the network or the servers, thereby disrupting normal service.
Co-pending U.S. patent application Ser. No. 13/682,754 teaches a “penalty box” mechanism, for a security gateway, that makes efficient use of the resources of the security gateway. This mechanism does not address the impact of DoS and DDoS on network components, such as routers and switches, that are traversed by network packets on their way to the security gateway.
It would be highly advantageous to have a method of mitigating DoS and DDoS attacks that would overcome the disadvantages of presently known systems as described above.