1. Field of the Invention
The invention relates generally to the field of networked data communications, and specifically to the field of network resilience and security.
2. Description of the Related Art
Virtual local area networks (VLANs) may be used to arrange communications among a group of devices so that the devices communicate as if they were connected by a common local area network (LAN). The devices in a VLAN may reside on one or more LANs, with non-local networks connecting the traditional LANs. The VLAN facilitates communications among the various machines, allowing users and network administrators to more readily expand operations beyond the confines of a single traditional LAN. In one sense, a VLAN may be identified as a collection of physical ports on one or more bridges and/or switches, with the ports associated together as sharing a local network structure.
Network administrators can benefit from tools that help prevent unwanted intrusions on their networks from external sources. One type of intrusion is a denial-of-service (DOS) attack. In a DOS attack, an outside party attempts to prevent legitimate users from being able to access or use resources on a network. DOS attacks commonly take the form of a large amount of incoming network traffic that floods network resources, such as central processing units (CPUs), ports, bridges, switches, and routers.
The goal of attackers in this type of attack is generally to prevent legitimate network traffic from reaching the network resources. In various situations, a DOS attack may attempt to maliciously disrupt connections to a machine, thereby disabling services provided by that machine. In other situations, a DOS attack may be an attempt to prevent a particular individual from accessing a service. DOS attacks may also be attempted as a part of a larger coordinated attack.
Most commonly, a DOS attacker may direct a large number of data packets to one or more devices on a target network. The flood of packets may generally be an attempt to consume much or all the available bandwidth or capacity on one or more portions of the target network. This type of attack may have a large variety of forms. For example, the DOS packets may be simple ICMP ECHO packets, but may alternatively be any other type of data that would be received by the target network. Also, the attacker may launch the attack from a single machine or from multiple machines. One trend in DOS attacks has been to mask the origin of attacks through the use of widely distributed “zombie” machines—computers that are maintained by unsuspecting owners, but which have been infected by a virus programmed to launch a coordinated DOS attack at a predetermined future time.
DOS attacks may also be an unintended consequence of improper but non-malicious activity. For example, a legitimate user may have unintentionally but incorrectly configured a remote system in such a way that repeatedly transmits data to a network server in a rapid endless loop. In some circumstances, the resulting flow of data may flood a resource on the network. Regardless of their source or purpose, DOS attacks may hinder or disrupt a network or a network resource if an appropriate response is not made to the attack.
VLANs generally share ports so that multiple VLANs may communicate through a common resource. Such shared resources, or trunks, may be shared physical connections between two switches or between other network devices. Trunks may be carried on physical connections such as twisted-pair cables, optical fibers, or wireless links. In some circumstances, multiple trunks may share a single physical connection. Alternatively, or in addition, trunks may be logical constructions that use more than one physical connection. To protect network resources from DOS attacks, a network may automatically disconnect a trunk to prevent the propagation of the attack on that trunk. Such a measure may disrupt the flow of the DOS attack, and protect network devices that are downstream from the attack. However, this protection also disrupts other traffic on the trunk, causing a loss of valuable data flows.
While the invention is susceptible to various modifications and alternative forms, specific embodiments of the invention are provided as examples in the drawings and detailed description. It should be understood that the drawings and detailed description are not intended to limit the invention to the particular form disclosed. Instead, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope of the invention as defined by the appended claims.