The present invention relates generally to network security, and more particularly to Denial of Service (DDoS) attacks.
During a DDoS attack, a number of compromised computers often send unwanted and heavy traffic (i.e., data packets) to a recipient computer system (e.g., a web server, network links, a router, etc.). This unwanted traffic typically exhausts the recipient computer's resources and prevents the recipient computer from serving its legitimate clients.
To defend against a DDoS attack, the recipient computer typically must distinguish between undesired traffic and legitimate traffic. Once the undesired traffic is identified, the recipient computer can filter (e.g., block) the undesired traffic so that it does not overload the resources of the recipient computer.
Since the unwanted traffic is often being transmitted by many compromised computers, it is often difficult for the recipient computer to identify (and filter) undesired traffic from legitimate traffic. The recipient computer typically has to determine whether each received packet is part of the undesired traffic or is legitimate traffic. This analysis usually requires the computer to examine the source Internet Protocol (IP) address of each received packet.
Every packet has a source Internet Protocol (IP) address. An IP address typically has the form a.b.c.d, where a, b, c, and d are integers in the range of 0-255.
One filtering technique used to counter a DDoS attack is to determine which traffic to filter before the recipient computer is incorporated into the network (i.e., static filtering). For example, if a compromised computer is known to take part in DDoS attacks, the recipient computer may be configured to filter (e.g., block) all packets received from that compromised computer.
Static filtering typically requires the recipient computer to examine the complete IP address of each packet and compare the IP address to IP addresses on a list of IP addresses suspected of taking part in DDoS attacks.