The World Wide Web (“Web” or “WWW”) is a vast network of computer servers, computer clients and telecommunication data lines for sending and receiving data (or “content”). The Web servers send text or binary content to client programs. Text data includes specially formatted text documents (or “Web pages”) written using the Hypertext Markup Language (HTML) protocol. The users use client programs such as “browsers” to establish data connections to Web servers, send requests for data, retrieve content and then view that content. Common browsers include Netscape Navigator® and Microsoft® Internet Explorer. These browsers and other Internet applications include the ability to access a URL (Universal Resource Locator) or “Web” site. The URL is used to specify the location of a file held on a remote machine.
Each URL is composed of several components. For example, the URL http://host/file.html includes three components. The first component, http, specifies the protocol that is used to access the target file. In the present example, the protocol is Hypertext Transfer Protocol (HTTP). A URL may specify other protocols as well. For example, the URL of ftp://ftp.pgp.com/bub/docs/samples specifies access to files via “FTP” (File Transfer Protocol). This specifies a link for accessing the file directory docs/samples on the machine ftp.pgp.com.
The second component, host, indicates the name of the remote machine. This can be expressed either as a domain name (e.g., pgp.com) or a numeric Internet Protocol (IP) address such as 123.200.1.1. The final component, file.html, provides the path name of the target file. In other words, the target file is the file to which the hypertext link is to be made. The file is referenced relative to the base directory in which the Web pages are held.
The HTTP protocol is typically employed to transmit web pages between the client computer and the server computer. According to the HTTP protocol as specified by the Internet Request For Comments RFC 1945 (T. Berners-Lee et al.), clients and servers communicate using request messages and response messages. A request message is sent by a client to a server to initiate some action. Exemplary actions are listed in Table 1.
TABLE 1MessageDescriptionGETA request to fetch or retrieve informationPOSTA request to accept the attached entity as a new subordinate tothe identified URLPUTA request to accept the attached entity and store it under thesupplied URLDELETERequests that the origin server delete a resource
The server, in response to a request, returns a response message. A response message may include an entity body containing hypertext-based information. In addition, the response message must specify a status code, which indicates the action taken on the corresponding request.
FIG. 1 is a block diagram that illustrates a single HTTP transaction including a request message and a response message. Client computer 100 has established a data communications connection via the Web 105 to a web server 110. A client application, such as a Web browser, initiates a request for a resource. The resource may be, for example, a home page on a Web server 110. The client 100 opens a connection between the client 100 and the server 110. The client 100 then issues an HTTP request 115. The request 115 consists of a specific command, a URL and a message containing request parameters, information about the client, and possibly additional content information. When the server 110 receives the request 115, it attempts to perform the requested action and returns a HTTP response 120. The response includes status information, a success/error code and a message containing information about the server 110, information about the response itself, and possible content. Further description of HTTP is available in the technical and trade literature; See e.g., William Stallings, The Backbone of the Web, BYTE, October 1996.
FIG. 2 shows a simplified diagram of a computer connected to external networks 200 via a host computer 205 linked to an access point 210. An access point 210 is essentially an external location capable of permitting authorized users to access external computer networks. The access point 210 is typically maintained by a computer network service provider, such as a telephone company (Telco) or commercial Internet Service Provider (ISP). The access point 210 serves as a link in the overall network scheme and consists of a series of Network Access Servers (NASs) and other related hardware, software and/or firmware. An access point 210 may also include a modem pool (not shown) maintained by a Telephone Company (Telco) or an Internet Service Provider (ISP) that enables its authorized users or subscribers to obtain external network access through the host computer 205, which has the required dial-up connection capability. The access point 210 may include a gateway device 215, such as the Service Selection Gateway (SSG) Cisco model 6510, manufactured by Cisco Systems, Inc. of San Jose, Calif. and an authentication, authorization and accounting (AAA) server 220, such as Cisco ACS or Cisco Secure, manufactured by Cisco Systems, Inc. of San Jose, Calif.
The Service Selection Gateway (SSG) is a product that allows data communications network users to select and login to services on the data communications network. These services can include computer intranets, pay per use sites, the Internet, community of interest services and the like.
The link between the host 205 and the gateway device 215 is typically a point-to-point link. The AAA server 220 may accommodate several client gateway devices simultaneously and communicate with one another according to a standard Internet protocol, such as the Remote Authentication Dial-In User Service (RADIUS) protocol. RADIUS is protocol standard for communicating authentication, authorization and configuration information between a device that desires to authenticate its links and a shared authentication server. Those of ordinary skill in the art will recognize that other types of access methods may be provided by a Telco or ISP such as frame relay, leased lines or ATM (Asynchronous Transfer Mode). Additionally, access methods may include Digital Subscriber Line-based methods (hereinafter referred to as xDSL) for supporting a host that uses a DSL access method, and/or a cable access method for supporting a host that uses a cable modem.
Typically, when the user desires to access a specified domain, the user runs a network logon application program on the host computer 205 which requires the user to input user identification and authorization information as a means of initiating access to the desired network. This information is then directed to the access point 210 where it is verified to ensure that the host user has the required authorization to permit access to the desired network. Once authorization is granted to the user, a connection is established via the access point 210 with the home gate of the specified domain site (235, 240, 245).
The connection established may be tunnel-based connections (225, 230), such as L2TP (Layer Two Tunneling Protocol) or L2F (Layer Two Forwarding) or an IP-based (Internet Protocol) connection, such as used with ATM or frame relay. The user of the host computer 205, having established such a connection, has the ongoing capability to access the specified domain until the connection is terminated either at the directive of the user or by error in data transmission. The access point 210 will typically have the capability to connect the user to various other privately owned secured domain sites, or the public Internet 200.
As the use of data communications networks increases worldwide, congestion of those networks has become a problem. A given data communications network, a given node on a data communications network, or a given link connecting two nodes has a certain capacity to pass data packets and that capacity cannot be exceeded. Network congestion is exacerbated by denial-of service attacks.
Denial of Service (DoS) attacks attempt to render a computer or network incapable of providing normal services. Denial of Service attacks typically target a computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic that all available network resources are consumed, effectively locking out legitimate users. Connectivity attacks flood a computer with such an unusually a high volume of connection requests that all available operating system resources are consumed, thus preventing the computer from processing legitimate user requests. For example, a computer hacker intending to exploit present day HTTP servers could flood the network with many HTTP requests. The resources devoted to handling the large number of HTTP requests generated by the computer hacker could adversely affect services available to other users. If an innocent user makes normal page requests from a website while that website is being subjected to a DoS attack, the requests may fail completely or the pages may download so slowly as to make the website unusable.
A Distributed Denial of Service (DDOS) attack uses many computers to launch a coordinated DoS attack against one or more targets. The perpetrator is able to increase the effectiveness of the Denial of Service by harnessing the resources of multiple unwitting accomplice computers that serve as attack platforms. Typically, a DDoS master program is installed on one computer using a stolen account. At a designated time, the master program communicates to a number of “agent” programs installed on computers anywhere on the Internet. The agents initiate the attack when they receive the command. The master program can initiate hundreds or even thousands of agent programs within seconds.
The currently available solutions to this problem are very limited and do not offer the level of security and service that most Internet users demand. One solution is to secure computers from being hijacked and used as attack platforms by, for example, periodically scanning Internet computers to make sure they are not being used as unwitting DoS attack platforms. This solution cuts the problem off before it can ever manifest. However, this solution is ineffective against computer users that desire to cause DoS attacks. Furthermore, this solution requires a coordinated effort amongst numerous parties around the world to secure Internet computers from becoming unwitting accomplices to such malicious intruders. Unfortunately, for every business that has the knowledge, budget and inclination to make such changes, there are many more which lack such resources.
What is needed is a solution that provides increased protection against HTTP server denial of service attacks.