The present invention relates generally to network security, and more particularly to identifying the source of a network attack.
As the Internet has grown, the benefits associated with the Internet have also increased greatly. People can stream continuous audio and video (e.g., listen to Internet radio stations, watch news videos, etc.), play on-line games, download movies and music, share pictures with friends and family, and collaborate with co-workers all over the world.
Because of the growth of the Internet, the traffic communicated over the Internet is enormous. In particular, today's Internet traffic is more than 10 petabytes per day. Hundreds of terabytes of storage are typically needed to store one day of traffic flow records.
Due to the sheer volume of traffic over the Internet, network security personnel often find it extremely difficult to identify the source of a network attack. Many network attacks are controlled by a small amount of traffic sent by an attacker via multiple compromised hosts to hosts which perform the attack.
In more detail, a hacker typically uses a controller computer to write a program called a daemon. A daemon is a program that is implanted on a computer and puts the computer under the control of the hacker without the knowledge of the computer user. The daemon executes in the background unknowing to the computer user and “steals” the computer's resources. A controlling computer (also referred to below as a controller) transmits this daemon to one or more zombie computers via an attachment or over a network. A zombie computer is a typical computer that is under the control of another computer (e.g., the controller). When the daemon arrives at the zombie computer, the daemon executes in the background without the user of the zombie computer noticing any change.
To convert a computer to a zombie computer, the hacker performs several steps. Computers connected to the internet have thousands of ports that work like doors for network services. For example, mail typically travels through port 25 and website data typically travels through port 80. Only a few of these “doors” are open at a time, depending on what kind of data a computer accepts. The hacker, trying to convert a computer to a zombie, executes a “port scanner” that sends messages to all possible ports of the computer to see which ones are open and accept information, and what kind of computer it is.
Many programs that accept data have flaws. The hacker (also referred to below as an attacker) uses a toolkit of different programs to identify these flaws on available ports. If a flaw is available, the hacker can inject the daemon into the computer. When the hacker logs off of a computer, the daemon uses its own toolkit to find a flaw in yet another computer. If the daemon finds a flaw, the daemon can then install another daemon on another computer. The daemons then work together and launch a distributed denial of service (DDoS) attack, flooding a targeted computer with packets in an attempt to cripple the computer's operation.
Tracing the traffic flow over the Internet may provide some insight into who the controller is. Tracing the traffic flow back to the real hacker who is responsible for and controls an attack is, however, often quite difficult, especially when the attack occurs over a large scale network like the Internet. As described above, to collect, store, and analyze the traffic flow for even a single day is typically unmanageable and expensive. On the other hand, if the traffic is stored for a shorter period of time, then a hacker can issue attack commands for future attacks sufficiently in advance as to not be traceable. Further, as the number of daemons increases, more computers are involved in the attack. As a result, the hacker is harder to trace.
Therefore, there remains a need to accurately identify who an attacker is when a DDoS attack on a computer system occurs over the Internet.