The present invention relates to denial of service attacks and, in particular, to a method of handling denial of service attacks without entirely blocking all new session connection requests.
Denial-of-Service (DoS) are well-known. In a typical DoS attack, the attacker employs Internet Protocol (IP) source address spoofing to directly or indirectly launch an immense volume of bogus traffic to a target system. For example, the attacker may use randomly changing or phony source addresses to flood bogus sessions with TCP SYN, UDP or ICMP packets to a specific target. This bogus traffic may be initiated from a single host, from a group of hosts in a specific network, or from any number of hosts on the Internet. The overwhelming number of bogus session requests potentially bogs down the resources of the target system and thus lead to DoS.
In response to a DoS attack, a typical firewall starts dropping all new session requests as soon as the rate of the incoming session requests exceeds a predetermined threshold. Until the blocking time for new session requests is expired, or the rate of new session requests falls off, the firewall denies any new session request. This mechanism is, in general, of use to protect the systems under attack. However, because all session requests are denied service, even legitimate requests are denied service.
Another approach that has been used to fight DoS attacks is known as Random Early Drop (RED). To implement RED, as a new session request is received, an unanswered session request is dropped. This approach is described, for example, in Linux Magazine, August 1999 (see http://www.linux-mag.com/1999-08/bestdefensexe2x80x9402.html). Thus, using RED, at least some legitimate session requests theoretically get through to the target system. However, there is high overhead involved with receiving the onslaught of bogus session requests and dealing with each received session request (by dropping a pending session request in response to it).
The present invention is a method and apparatus for responding to denial of service attacks. Rather than a firewall or other device either denying all new session requests or denying no new session requests (and, albeit, dropping then-pending session requests), new session requests are selectively passed to the device.