The present invention relates to networking and more particularly to techniques for detecting and responding to attacks on computer systems and networks.
There are numerous ways in which a computer or network system may be attacked to prevent users of the system from using a service provided by the system. Several techniques have been used in the past to prevent such attacks. For example, in a network environment, firewalls may be used that employ access control lists (ACLs) to either deny or permit a packet to enter a protected segment of the network. In a typical ACL system, every packet received is matched against a list of pre-defined filters. When a packet matches a filter, that packet is either permitted or denied entry to the protected network segment based upon the filter. This approach however cannot be used for all types of attacks. For example, the ACL approach described above may be used to prevent unwanted traffic from entering a protected network but cannot be used to detect and respond to anomalies introduced by attacks such as denial-of-service (DoS) attacks.
A DoS attack is an attack on a system that is characterized by an attempt by an attacker to prevent legitimate users of the system from using a service offered by the system. A DoS attack on a system generally causes loss of service of the system to users. Typically, a DoS attack causes loss of service or network connectivity by consuming the bandwidth of the victim network or computer system or overloading the computational resources of the victim system. DoS attacks may take various forms. For example, a DoS attack may attack a system by attempting to consume scarce, limited, or non-renewable resources of the system, by destroying or altering configuration information of the system (e.g., by altering routing information associated with a router), by disrupting physical network components of the victim system, and the like. Examples of DoS attacks include SYN floods, ICMP floods, UDP floods, application level floods, banana attacks, a “pulsing zombie” attack, nukes, and others. For purposes of this invention, a DoS attack includes a distributed DoS attack.
In a DoS attack scenario, the packets that are received cannot be simply dropped (i.e., denied access) or forwarded (i.e., permitted access to a protected segment of the network) using conventional attack prevention systems as described above. This is because usually in DoS attacks, the packets themselves are legal if they are received in small quantities but are illegal if received in very large quantities. Accordingly, simple filters cannot be used to deny or prevent access. As a result, improved techniques are desired for preventing attacks such as DoS attacks.