In many ways, the emergence of the Internet has revolutionized the business world. Now it is almost imperative that a business have an online presence. Many companies spend substantial amounts of money in developing enticing and sophisticated Web sites in order to provide customers with a positive image of the company in an effort to attract business. Many companies now conduct critical activity via their network sites such as, but not limited to, e-mail, e-filing, document exchange, posting critical information or news, conducting commercial transactions, and the like. Indeed, there are many businesses that rely entirely on a virtual storefront, i.e., to purchase a product you must do so through the company's online site.
Though companies increasingly rely upon their online presence to conduct various aspects of business, there are numerous threats to their online presence against which they need protection. Malware, a term derived from the combination/concatenation of “malicious software,” generally and broadly includes computer viruses, Trojan horses, worms, buffer overrun attacks, spyware, adware, and the like. Malware variants are constantly released on the Internet to carry out the various nefarious designs on susceptible network sites. In order to prevent their sites from “infection” by the malware, companies invest in protective software and hardware such as anti-virus and anti-spyware software, firewalls, and the like, to form a protective shield around the online site.
While companies have a continuing need to maintain and update their protective shields against malware, there are some types of network attacks that still get through. Indeed, some attacks penetrate a company's protective shield because they do not fit the general definition of malware in that the attacks arrive and appear as legitimate network traffic. These attacks include denial of service attacks and poison pill attacks.
A denial of service (“DoS”) attack intentionally floods a targeted system with a large volume of incoming messages such that the targeted system cannot handle the network traffic and must shut down, or worse, crashes. FIG. 1A is a pictorial diagram that illustrates a typical network environment 100. The network environment 100, by way of example only, includes a host 102 which interacts with one or more other computing devices, such as client computers 104-106 and 110-112, over a network 108. Under a DoS attack, as illustrated in the pictorial diagram of FIG. 1B, a node on the network 108, i.e., one of the computing devices on the network such as client computer 104, floods the host 102 with network traffic such that the host cannot manage all incoming traffic. As a result, the host 102 may drop or deny service to incoming traffic from legitimate users, such as from client computers 106 or 112. From the legitimate user's perspective, the host 102 is frozen, i.e., not responding to network traffic.
Frequently, a DoS attack is carried out in a coordinated, distributed manner by a botnet. A botnet (derived from the term “robot network”) corresponds to a fleet of computers, typically compromised by a Trojan horse virus, configured to respond to a network call to participate in a coordinated DoS attack (also called a distributed DoS attack or DDoS). FIG. 1C is a pictorial diagram illustrating a DDoS attack on host 102 from the various computers connected to the network 108. As is well appreciated by those skilled in the art, depending on the size of the botnet, a DDoS attack can substantially increase the intentional flood of network traffic to the host 102.
In contrast to a DoS or DDoS attack, a poison pill attack may be a single message to a network service, such as a Web service, that causes the receiving service to struggle to respond. For example, a poison pill communication may cause a particular component of a Web service to execute, wherein the component has a flaw or bug. During executing, the flaw is encountered and the component crashes. This component crash, in turn, may cause the Web service to cease functioning or otherwise take an inordinate amount of processing time to respond to the poison pill request. Clearly, a poison pill attack may be submitted intentionally or unintentionally; yet in either case, the Web service is significantly compromised.
In addition to malicious or intentional attacks, online sites are at risk from legitimate network traffic. For instance, suppose a network site, as a promotional campaign, makes a particularly good offer for a product and assumes, based on the history of network traffic at the site, a particular level of network traffic will be received. Suppose further that, due to some social networking, the interest generated with regard to this offer exceeds the network site's expectations. Realistically, that network site may be overwhelmed by a dramatic increase or spike in legitimate network traffic requesting the particular offer. This spike in network traffic, though legitimate, poses the same risks to the network site as a DDoS attack.
Without changing the nature of the Internet, or networking in general, the solution to DoS, DDoS, poison pill attacks, or overwhelming spikes in legitimate network traffic, is to have significant network processing bandwidth/capacity in reserve such that when these adverse network conditions arise, a network service such as host 102 can handle the incoming traffic. Unfortunately, the amount of reserved processing bandwidth necessary to identify and respond to unforeseen capacity requirements, such as a DoS or DDoS attack, is huge in comparison to the processing bandwidth during normal operations, and the cost to deploy and maintain such reserves is viewed as prohibitive to all but a very few companies.