One threat faced by Internet and other networks is a distributed denial of service (DDOS) attack. In such an attack, a network device (commonly a server, i.e., a specialized computer used in an Internet-Protocol (IP)-based network) is bombarded with IP packets from many sources, in various forms including email, file transfers and so-called ping/UDP/ICMP floods, so that the network device (ND) is overloaded and rendered useless for normal operations. In order to limit and contain the damage of an attack, it is preferable for the network or a communications system within a network to decide intelligently on what packets to be dropped on-the-fly. Ideally, legitimate user packets should be kept while dropping abnormal/attacking packets.
Prior art methodologies for detecting and preventing DDOS attacks entailed storing and processing stored packets to determine potentially violating packets. A monitoring process which attempts to monitor and catalog every detail of every IP packet is quickly overwhelmed, however. Thus, to effectively prevent DDOS attacks, network processors must operate using a minimum number of states or traffic statistics in order to keep storage and computational requirements within a practical range. Accordingly, there is need for more efficient techniques for detecting, identifying and preventing DDOS attacks, wherein such steps can be accomplished essentially on-the-fly.