With the proliferation of the Internet, host systems can provide their services to numerous client systems, where both host and client systems are distributed throughout the world. Once a proper connection is established, information can flow freely between a host system and a client system.
For example, in a conventional distributed network a plurality of host systems or servers are in communication with a plurality of client systems via a network or a collection of networks, e.g., the Internet. The architecture of such a distributed network is a source of strength (e.g., enabling free flow of information between numerous systems) and a source of vulnerability (e.g., creating vulnerabilities to malicious attacks).
Specifically, when a client system attempts to establish a connection, e.g., a TCP (Transmission Control Protocol) connection, to a host system, the client and host exchange a set sequence of messages or packets. This general approach applies to all TCP connections: Web, telnet, email and so on.
The client system starts by sending a “SYN” message or packet to the host system. The host system then acknowledges the SYN message by sending a “SYN-ACK” message back to the client system. The client then finishes establishing the connection by responding with an “ACK” message, which completes what is known as a “TCP three-way handshake”.
Unfortunately, this simple connection protocol is vulnerable to potential abuse by malicious users. For example, a remote client may transmit a large volume of TCP connection requests that cannot be completed, i.e., where the host system has sent an acknowledgement (SYN-ACK) back to the SYN packet's IP Source Address, but will never receive the ACK message since the source address was spoofed, and is either an invalid address, or a machine that did not send the SYN packet in the first place. Because only the receiver of the SYN (which has sent the SYN-ACK) thinks the connection is open, the connection is in the “half-open” state.
The potential abuse is that the host system has built in its system memory a data structure of finite size that describes all connections, pending or active. By flooding the host system with an overwhelming amount of half-open connections, the effect of this attack on the host system is that this data structure will quickly fill up, thereby crippling its ability to establish new connections with legitimate TCP users. This type of “SYN flooding” is the basis for several forms of distributed “Denial of Service” attacks on the Internet.
Creating half-open connections can be easily accomplished with IP spoofing. Specifically, the attacking client system will send SYN messages to the target host system. These SYN messages appear to be legitimate but may in fact reference a client system that is unable to respond to the SYN-ACK message or is not actually trying to establish a connection. The effect is that the final ACK message will never be sent to the target host system.
Although most host systems will eventually remove expired half-open connections, the attacking system can simply continue sending IP-spoofed packets at a greater rate than the rate in which expired half-open connections are removed. The location of the attacking client system is often unknown because the source addresses in the spoofed SYN packets are often not genuine. Thus, when the SYN packet arrives at a target host system, it is often impossible to determine its true source.
Host systems that are the targets of such malicious attacks will likely be rendered inoperable. The inability or even the mere difficulty of accepting any new legitimate incoming network connections will greatly damage the business of a host system.
Therefore, a need exists for a novel method and apparatus that is capable of deflecting such attacks without having to modify the operating system of the host system or requiring complex packet manipulation for active TCP sessions.