The phenomenal growth of the Internet has presented network service providers (e.g., Internet Service Providers (ISPs)) with the continual challenge of responding to users' demands for reliable, secure, fast and dependable access to this global resource. Satisfying these demands is imperative to maintaining a competitive edge in an intensely competitive market. The vast user base has heightened service providers as well as their customers' susceptibility to security threats. In the past, network security responsibilities have largely been the charge of the end users. However, service providers have come to recognize the commercial viability of offering security services. Undoubtedly, security attacks and breaches impose a heavy cost to both the service providers and their customers.
A particularly troubling type of security concern is the various types of packet flood attacks that negatively impact service availability. Packet flood attacks are a type of denial of service (DoS) attack. A DoS attack is initiated by an attacker to deliberately interfere or disrupt a subscriber's datagram delivery service. A packet flood attack differs from other types of denial of service attacks in that a flood attack requires constant and rapid transmission of packets to the victim in order to be effective. The flood attack overwhelms the victim's connection and consumes precious bandwidth on the service provider's core or backbone networks. Examples of packet flood attacks specific to Unreliable Datagram Delivery Service Networks utilizing IP (Internet Protocol) include ICMP (Internet Control Message Protocol) flood, “SMURF” (or Directed Broadcast Amplified ICMP Flood), “Fraggle” (or Directed Broadcast UDP (User Datagram Protocol) Echo Flood), and TCP (Transmission Control Protocol) SYN flood. These attacks effectively prevent the subscribers from accessing the Internet; in some circumstances, the effects of these attacks may cause a victim host to freeze, thereby requiring a system reboot. In addition to being a nuisance, a system freeze can result in loss of data if precautions were not taken in advance. Because of the severe and direct impact these attacks have on subscribers, a service provider needs an effective mechanism to detect and prevent or minimize these DoS attacks.
Distributed Denial of Service (DDoS) attacks are notoriously difficult to defend against because a multitude of compromised systems are used to implement the attack. Typically, an attacker causes one compromised system (the DDoS “master”) to identify and infect numerous other systems (DDoS “bots” or “botnets”) to launch an attack against a single target. Like many other types of DoS attacks, the attacker can forge the source address of the flood packets originating from the bots without reducing the effectiveness of the attack. Determining and tracking the source of forged datagrams in destination-based routing systems is difficult given the premium on processing capacity to perform the packet diagnostics that are required to determine the source. In addition, investment in anti-DDoS technology leads to service providers becoming locked in to costly, proprietary solutions. As a result, service providers are unable to reliably and cost-effectively mitigate DDoS attacks.
Based on the foregoing, there is a clear need for improved approaches for mitigating DDoS attacks.