In a Denial-of-Service (DoS) attack, an attacker bombards a victim network or server with a large volume of message traffic. The traffic overload consumes the victim's available bandwidth, CPU capacity, or other critical system resources, and eventually brings the victim to a situation in which it is unable to serve its legitimate clients. Distributed DoS (DDoS) attacks can be even more damaging, as they involve creating artificial network traffic from multiple sources simultaneously. Many DDoS attacks use “spoofed” IP packets—packets containing a bogus IP source address—making it more difficult for the victim network to defend itself against attack.
Domain Name System (DNS) servers are a favored target of DDoS attackers. DNS provides a distributed database of domain names and their associated information, such as IP addresses and alias names. DNS servers use the database to translate domain names into their corresponding IP addresses and to retrieve other information associated with specific names. DNS is described in detail by Mockapetris in “Domain Names-Concepts and Facilities,” published as Request for Comments (RFC) 1034 (1987) of the Internet Engineering Task Force (IETF) Network Working Group; and in “Domain Names-Implementation and Specification,” published as IETF RFC 1035 (1987). Both of these documents are incorporated herein by reference and are available on the Internet at the URL www#ietf#org, in which the symbol “#” substitutes for the character “.”.
The majority of DNS request and reply traffic on the Internet is carried over the User Datagram Protocol (UDP), which is a connectionless protocol. Methods for protection against spoofed DNS messages that use UDP are described in U.S. Patent Application Publication 2003/0070096 A1, whose disclosure is incorporated herein by reference. The inventors describe a guard system that receives a DNS request carried over UDP from an unknown or suspicious IP source address. The guard system forces the client to repeat the request over the Transmission Control Protocol (TCP). The client establishes a TCP connection with the guard system, using the conventional three-way handshake mandated by the TCP protocol. The guard system uses the handshake to verify the authenticity of the client.
The present invention will be more fully understood from the following detailed description of the embodiments thereof, taken together with the drawings in which: