DDoS attacks vary. The parameters for DDoS attacks vary. However, in a DDoS attack, the important part, from the viewpoint of a network administrator, and therefore a mitigation appliance, is to find what's common among the barrage of packets that are reaching the destination network. This is being referred to as attribution of the attack. Network and transport layer DDoS attacks can be attributed easily. An example of network layer DDoS attacks is one on Internet Protocol Secure (IPSec) protocol, where all attack packets, though coming from multiple IP addresses, have the same IP Protocol number, namely 50, corresponding to IPSec. Protocol 50 identifies the type of protocol used to attack and can be rate-limited while everything else flows unaltered. An example of a transport layer DDoS attack is an attack on User Datagram Protocol (UDP) port 3000. In this case, the common attribute for all attack packets is UDP port 3000. Such numbered attributes are easy to identify and report and do not heavily increase the memory table capacity while monitoring because numbers take a limited number of bytes to store.
Application layer Distributed DoS (DDoS) attacks are becoming commonplace. DDoS attack mitigation of application layer attacks requires ability to identify the attacks more specifically. An example of application layer attacks is one on the Hypertext Transfer Protocol (HTTP) protocol, where all attack packets, though coming from multiple IP addresses, have the same user-agent. The user-agent identifies the type of browser or script used to access the page under attack. The strings which identify user-agents vary in sizes. These could vary from a few bytes to few hundred of bytes. An example of Apple iPhone's user agent for a specific version is “Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3”. As yet another example, Firefox browser version 42.0 on Windows 10, has a user-agent, “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0”. In a similar way, other attributes which identify a specific attack include host, referrer, cookie, Uniform Resource Locator (URL), etc. Most of these are variable length strings and may sometimes be very large in length. An exemplary URL on the Amazon.com website for Star Wars blu-ray is “/Star-Trilogy-Episodes-IV-VI-Blu-ray/dp/B00E9PMMX0/ref=sr_1_1”. Sometimes further strings are added to this URL to identify further details of the users who are accessing them or the search query that led to the access of the URL.
In application layer DDoS attacks, a security administrator would like an appliance to attribute these attacks to a specific user-agent, host, referrer, URL etc. Current methods of DDoS attack reporting do not have the speed and processing power to instantly and correctly identify these variable length strings, especially if they don't fit in a few bytes. For example, if an attack script has been written only for a specific device, all attack packets will have the same user-agent. If the same script has been distributed by a hacker to a network to create a botnet, they may all have the same user-agent even though coming from different IP addresses. Therefore during mitigation, it makes sense to simply block packets coming with that specific user-agent and leave all other traffic unaffected. The same can be done for attacks written for a specific URL, specific Host, with specific Referrer etc. Clearly, a new method is needed to attribute DDoS attacks to large variable size common parameter strings in real-time under high volume application layer DDoS attacks. The purpose of such attribution is to facilitate dropping of all subsequently received packets with common parameters to avoid false positives and/or to track sources that send such packets and block those source IP addresses.