A denial of service (DoS) attack is an explicit attempt by an attacker or attackers to prevent or impair the legitimate use of a host computer, a router, a server, a network or the like. Whilst such attacks can be launched from within a target network itself, the overwhelming majority of such attacks are launched from external systems and networks connected to the target via the Internet. Internet connected devices, systems and networks are today facing a rapidly expanding and real threat from DoS attacks. Such attacks not only damage the intended target but threaten the stability of the Internet itself. The motive for most DoS attacks still appears to be driven by a desire to “show-off”, express anger or seek revenge by computer hackers, for example, but evidence exists that DoS attacks are increasingly being used by cyber-criminals to blackmail enterprises drawing most of their revenues from on-line (Internet based) activities and the fear is that terrorists will use DoS attack as a means of disrupting good governance by governmental organisations.
The ease with which DoS attacks can be launched from within the Internet is a direct consequence of the features that have made the Internet so successful. The Internet was designed with functionality, not security, in mind. It follows an end-to-end paradigm whereby communicating end hosts deploy complex functionalities to achieve desired service guarantees, while the intermediate networks (the Internet) connecting said end hosts provide a bare minimum, best efforts service. As such, the Internet is managed in a distributed manner so no common policy can be enforced among its users. This design freedom, which affords easy user participation in the Internet, provides opportunities for abuse such as DoS attacks.
DoS attackers take advantage of the fact that the Internet is comprised of limited resources. The interconnected Autonomous Systems (ASes) comprising the core of the Internet and the networks, systems and devices connected thereto are composed of limited bandwidth, processing power and storage capacities that are all common targets for DoS attacks designed to consume enough of a target's available resources to cause some level of service disruption. Also, security in the Internet is highly interdependent. As such, DoS attacks are commonly launched from systems that are subverted through security related compromises. Intrusion defence systems not only help to protect the Internet resources they specifically support but also help to prevent the use of such resources to attack other Internet connected systems and networks. Consequently, no matter how well guarded an Internet resource is, its security is also dependent on the state of security in the rest of the Internet. Other factors that contribute to the ease with which DoS attacks can be initiated within the Internet are the fact that most of the intelligence needed for service guarantees between end hosts is located with the end hosts rather than within the Internet and that the Internet employs high bandwidth pathways between the intermediate networks that can carry large volumes of messages to a target.
Early DoS attack technology involved simple tools that generated and sent packets from a single source to a single destination. Often these attacks were manually configured which limited their frequency and effectiveness and which could be readily defended against by source address packet filtering, for example. In recent years, however, tool kits have evolved for automatically executing multiple source attacks against one or more targets, so called distributed DoS (DDoS) attacks. These tool kits are readily available for downloading from hacker websites and are so simple to use that even unsophisticated Internet users can set up DDoS attacks.
Multiple source attacks on a single target are presently the most common form of DDoS attacks launched against Internet connected devices, systems and networks. Such attacks take advantage of the huge resource asymmetry between the Internet and the target in that a sufficient number of compromised hosts are amassed to send useless packets toward the target at generally the same time. The magnitude of the combined traffic is often sufficient to cause the target system or network to crash and/or flood its Internet connection thereby effectively removing the target from the Internet for at least the duration of the attack. These types of attack are commonly referred to as packet flooding DDoS attacks.
Whereas with single source DoS attacks it was possible to trace the source of the attack where the packets contained the actual source address and to employ packet filtering, for example, to discard packets being received from that source, DDoS attacks are more malicious in that the number of subverted hosts sending useless packets towards the target may number in the tens of thousands and even hundreds of thousands and in that address spoofing masking the identities of the subverted hosts is also often employed. Even if the sources of the useless packets can be identified, this may not assist the target in defending itself since the received packets may be from legitimate sources prompted to send packets towards the target as occurs in so called reflector or indirect DDoS attacks. Blocking packets from these sources will also block packets from legitimate users.
A successful DDoS is easily detected at the target since it sees all the attack packets which are causing it to become saturated and fail. Although detection of a DDoS attack allows the target to implement defences such as packet filtering, whilst it still has some available packet processing resources not overwhelmed by the attack, the detection of the attack does not necessarily result in the effective filtering of the attack packets to maintain some level of service at the target. Due to the distributed nature of the attack, packet filtering at or near the target normally drops normal (legitimate) packets as well as attack packets since the packet filterers are unable to distinguish between them leading to at least an impairment of service at the target. Consequently, detection of a DDoS at the target is not generally effective since it is invariably too late for the target to mount an effective defence.
The paradox facing a target network is that the ability to detect a DDoS attack is greater the closer the means of detection is located to the target network whereas the effectiveness of filtering packets to discard attack packets declines as attack packets are dropped closer to the target network, i.e. it is considerably more effective to filter attack packets close to the attack sources since such filtering is less likely to cause the dropping of legitimate packets destined for the target.
Frequently, a target network's Internet Service Provider (ISP) network will drop all packets destined for the target network once a DDoS attack is detected thereby effectively suspending service at the target network and, in any event, negating the target network's efforts to defend itself against the DDoS attack.
One solution to the problem of detecting a DDoS attack before the aggregated effect of the attack packets overwhelms the target is to deploy a system in the Internet away from the target. Such a system uses information about the expected behaviour of network traffic at some selected point in the Internet to determine when an attack is occurring. Systems of this sort are currently available and are generally referred to as “Internet Firewalls”. All such systems monitor the packets crossing a point or points in the Internet, analyse some aspect of the aggregated packet stream behaviour and try to determine whether it is significantly deviating from normal behaviour as a method of detecting a DDoS attack. The key problem is trying to characterise what constitutes normal behaviour. Absolute measures such as the expected number of packets going to a given destination address or the ratio of User Datagram Protocol (UDP) to Transmission Control Protocol (TCP) packets are of limited value as traffic patterns can rapidly change for legitimate reasons such as a new web site becoming popular or a new application being deployed. Other techniques such as recording the ratio of TCP SYN to ACK messages can identify some DoS attacks but attackers have shown an impressive ability to quickly by-pass detection tools using such distinct parameters.
Irrespective of where and how a DDoS attack is detected, currently proposed methodologies for defending against such an attack, aside from simply discarding all packets (both legitimate and attack) destined for the target, includes at least the target and/or its ISP performing ingress packet filtering. This involves the ISP verifying that the source address of a packet is appropriate for that incoming target system link. However, this requires the ISP to upgrade its equipment which it has little incentive to do since the ISP is rarely overwhelmed itself by a DDoS attack on one of its clients (subscribers). It therefore follows that this is a responsibility that ISPs are reluctant to commit to.
Another approach to defending against a DDoS attack includes augmenting the routing information of packets to allow even remote ISPs to identify the possible links that a packet with a particular source address might have come from. However, this again requires the ISPs to upgrade their equipment for little apparent benefit, particularly those ISPs that have no remunerative relationship with the target.
Using existing fields in the Internet Protocol (IP) header outside of their intended use to include pieces of information that allow, given enough packets, the receiver to reconstruct the paths the packets have taken is an approach that can allow the receiver to filter out attack packets. However, this approach can still be abused by an attacker to convey large amounts of false information to the target (receiver) so is of limited effectiveness.
Tailgating a small subset of the existing packets with a specific control packet that indicates the source of the packets by say indicating one router that the packets have passed through also assists the receiver in filtering out attack packets. However, this approach does not address the problem of identifying the legitimate routers and creates additional traffic which is only of advantage during a DDoS attack but is disadvantageous at other times from a network capacity viewpoint.
The problem therefore remains how to identify a DDoS attack and how to block or reduce its effect when it occurs.
Existing approaches to detecting DDoS attacks at some selected point (or points) in the Internet are based on parameters that are highly variable with time and which are apt to evolve as the technology of the Internet advances leading to obsolescence. What is required therefore is an approach based on parameters that are both invariant of changes in technology and are general enough to have a good probability of detecting many DDoS attacks.
Despite the moves to place DDoS attack detection systems into the Internet, most DDoS detection and defence systems are located at the edge of the Internet operated by the end hosts (receivers, possible targets) who wish to protect their networks, systems and devices from such attacks. The defence systems mainly rely on packet filtering to defend an attack which, given the nature of flooding packet attacks, must have high processing capacity if the filtering system is not itself going to become overwhelmed. At present, there is little by way of incentive for competing ISPs to upgrade their networks to defend against DDoS attacks although this may change as legislative pressures are brought to bear around the world. There is therefore a need to provide a method of enabling receivers to more intelligently filter received packets and to create an incentive for other connected systems and networks of the Internet to assist this process.