1. Field of Invention
The invention relates generally to data network communications and more particularly to a technique for thwarting application layer hyptertext transport protocol flood attacks targeting one or more of a plurality of systems on a network, such as the Internet.
2. Description of Related Art
Hypertext transport protocol (“HTTP”) is the preeminent mechanism for application layer communication in the world. A would-be attacker can simply generate a sufficient number of “GET” packets to a particular HTTP server to continuously request resources served by the server. Once the server reaches its maximum capacity of “GET” packets per second, the server is no longer capable of responding to legitimate clients. Such an attack is known as a flood attack or “distributed denial of service” (“DDoS”) attack. Mitigation systems depend on complex algorithms to create distinctions between legitimate intelligent clients and illegitimate clients attempting to create a “denial of service” condition on the end server. Once this condition has been created, even legitimate intelligent clients can no longer access necessary resources on the server.
U.S. Pat. No. 7,478,429 to Lyon, the disclosure of which is incorporated by reference herein in its entirety, describes a network overload detection and mitigation system and method. Lyon employs a data cleaning center having attack detection and/or mitigation modules that provide DDoS attack-free data to back-end servers. A drawback of Lyon is that it simply absorbs the attack, thus necessitating additional servers to handle the load. It does not provide a mechanism to block the malicious data packets.
U.S. Pat. No. 7,020,783 to Vange et al. (“Vange”), the disclosure of which is incorporated by reference herein in its entirety, describes a system for handling denial of service attacks on behalf of a shared network resource. Vange employs a request processing component deployed within a network having an interface configured to receive requests on behalf of the shared network resource, and a rate control component coupled to the request processing component to selectively forward received requests to the shared network resource at a rate selected to prevent the shared network resource from crashing or becoming undesirably busy. A drawback of Vange is that it simply absorbs the attack, thus necessitating additional servers to handle the load. It does not provide a mechanism to block the malicious data packets.
U.S. Patent Application Publication No. 2002/0083175 to Afek et al. (“Afek”), the disclosure of which is incorporated by reference herein in its entirety, describes a technique for protecting against and/or responding to an overload condition at a node (“victim”) in a distributed network to divert traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, passing a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim. A drawback of Afek is that it does nothing to specifically protect against GET floods. Afek is also not an application layer aware methodology.
U.S. Patent Application Publication No. 2003/0145232 to Poletto et al. (“Poletto”), the disclosure of which is incorporated by reference herein in its entirety, describes an architecture for thwarting denial of service attacks on a victim data center. The system includes a first plurality of data monitors that monitor network traffic flow through the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In one embodiment, a gateway device is disposed to pass network packets between the network and the victim site. The gateway includes a computing device executing a process to build a histogram for any attribute or function of an attribute of network packets and a process to determine if the values of the attribute exceed normal, threshold values expected for the attribute to indicate an attack on the site. A drawback of Poletto is that it does not provide proactive recalculation of GET similarities to effectively mitigate a large percentage of an attack.
U.S. Patent Application Publication No. 2013/0042322 to Yoon, the disclosure of which is incorporated by reference herein in its entirety, describes a technique for defending a DDoS attack. Yoon employs a packet collecting unit to collect a packet in a network, a packet parsing unit to extract at least one header field from the collected packet, and a DDoS attack determining unit to determine whether a DDoS attack against the packet is detected, using a session table and a flow table. A drawback of Yoon is that it is a simplistic approach to mitigating some transport layer attacks and does not provide an application layer aware methodology.
U.S. Pat. No. 7,921,462 to Rooney et al. (“Rooney”), the disclosure of which is incorporated by reference herein in its entirety, describes a technique for detecting DDoS attacks within the Internet by sampling packets at a point or points in Internet backbone connections to determine a packet metric parameter. The packet metric parameter which might comprise the volume of packets received is analyzed over selected time intervals with respect to specified geographical locations in which the hosts transmitting the packets are located. The expected behavior can be employed to identify traffic distortions revealing a DDoS attack. A drawback of Rooney is that metrics are insufficient for providing comprehensive protection against GET floods as they do not factor the packet data content. Rooney is also not an application layer aware methodology.