Internet Service Providers (ISPs) face ever increasing operational challenges. For example, ISPs balance supporting bandwidth intensive applications (Internet Protocol Television (IPTV), voice over Internet Protocol (VoIP), etc.) while also mitigating and protecting against bandwidth intensive network security threats. Maintaining operations that support bandwidth-intensive applications during potential network attacks proves difficult, at best.
ISPs attempt to mitigate network-wide threats before impact of critical business services and applications. One example of one of these network-wide threats is bandwidth based attacks. For example, a Denial-of-Service (DoS) attack is a bandwidth based attack on a network system aimed at causing it to crash, i.e., to create conditions under which legitimate (rightful) system users cannot gain access to the resources (servers) provided by the system, or to make this access difficult. Taken further, a DoS attack that is carried out simultaneously on a larger number of computers is called a Distributed Denial-of-Service (DDoS) attack.
Like many other types of DoS attacks, the attacker can forge the source address of the flood packets without reducing the effectiveness of the attack. Because the source addresses of the attack packets are almost always forged, it is non-trivial to determine the true origin of such attacks. As a result, tracking down the source of a flood-type denial of service attack is usually difficult or impossible at least in a large, high-speed network. Furthermore, it is often difficult to determine whether to label a network event a DoS attack. It is highly desirable a user configuring an attack mitigation system learns what network events are considered normal for a plurality of different customers or logical entities sharing the network. Known DDoS detection devices typically require at least some configuration that would facilitate identification of a DDoS attack and determination of the attack magnitude. For example, a DoS jamming attack may artificially introduce interference into the network, thereby causing collisions with legitimate traffic and preventing message decoding. In another example, a DoS attack may attempt to overwhelm the network's resources by flooding the network with requests, to prevent legitimate requests from being processed. A DoS attack may also be distributed, to conceal the presence of the attack. For example, a DDoS attack may involve multiple attackers sending malicious requests, making it more difficult to distinguish when an attack is underway. Configuration of DoS attacks detection logic is particularly challenging when network resources are limited and throughput is high.