The present invention relates in general to networked computing environment protection and, in particular, to a system and method for preventing a spoofed remote procedure call denial of service attack in a networked computing environment.
Computer networks form a central component of corporate information technology infrastructures. There are two types of networks. A local area network or xe2x80x9cintranetworkxe2x80x9d is a network operating within a single identifiable location, such as on one floor of a building. Individual computers and shared resources are interconnected over a single media segment. A wide area network or xe2x80x9cinternetworkxe2x80x9d is a network consisting of interconnected intranetworks and geographically distributed computational resources which, when taken as a whole, comprise a unified set of loosely associated computers. The Internet, for example, is a public internetwork interconnecting clients worldwide.
Structurally, most internetworks and intranetworks are based on a layered network model employing a stack of standardized protocol layers. The Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described W. R. Stevens, xe2x80x9cTCP/IP Illustrated,xe2x80x9d Vol. 1, Ch. 1 et seq., Addison-Wesley (1994), the disclosure of which is incorporated herein by reference, is a widely adopted network model. Computers and network resources using the TCP/IP suite implement hierarchical protocol stacks that include link, network and transport layers. Protocols operate within each layer to provide point-to-point or end-to-end services.
In addition, client and server end devices implement application protocol layers for providing client services, such as electronic mail, content provision and resource sharing. Application protocols operate in an end-to-end fashion between a requesting client and a responding server. Client services are generally implemented using remote procedure call (RPC) semantics whereby a client sends a request to a server which then returns a response back to the requesting client.
Networked computing environments can be attacked. Networks employing protocols like TCP/IP are susceptible to a class of attacks known as denial of service (xe2x80x9cDoSxe2x80x9d) attacks. The basic objective of DoS attacks is to prevent servers from providing services to legitimate clients by attacking either the servers directly or the network infrastructure supporting the servers. One specific DoS attack attempts to overwhelm a victim server with a flood of network traffic. In a direct flood attack, the victim server is inundated with packets more rapidly than responses can be generated. In an indirect flood attack, the infrastructure supporting the victim server is saturated with packets, effectively blocking legitimate traffic from reaching the victim server.
RPC semantics can be misused to affect flood attacks through source address spoofing. In a spoofed flood attack, an attacking system issues a request to one or more servers using the network address of an intended victim server as the source address of the request. Upon receiving the spoofed request, the receiving servers send their replies back to the victim server under the assumption that the request originated from the spoofed source address. The wave of replies sent to the victim server increase the load on both the network path to the victim server and on the victim server itself.
The impact of a spoofed DoS attack can be enhanced through amplification, which can occur when more than one server is willing to respond to the same request. Amplification can also be achieved when a xe2x80x9cstoogexe2x80x9d server is willing to respond to a single request packet with more than one packet. Amplification can be used to attack a victim server by causing multiple xe2x80x9cstoogexe2x80x9d computers to generate a flood of unsolicited response packets.
In the prior art, firewalls have traditionally provided a first line of defense against attacks. Firewalls are placed at the boundary separating an intranetwork from a public internetwork and prevent network compromise by unauthorized users through packet filtering, stateful inspection and rate limiting. Packet filtering requires a firewall to maintain a list of unauthorized source addresses. The source addresses of incoming packets are checked against the list. Only packets originating from authorized source addresses are allowed entry into the intranetwork. However, packet filtering is time consuming and resource intensive and can act as a bottleneck to incoming traffic. More importantly, spoofed request packets are indistinguishable from legitimate traffic and effectively evade packet filtering.
Stateful inspection requires a firewall to keep track of outgoing service requests. Incoming responses are matched to the tracked requests to prevent unsolicited responses from entering the intranetwork. However, stateful inspection is also resource intensive and can fail when the state allocated for request tracking is exceeded.
Routers and similar border devices are also used to protect against attacks. Some routers limit the rate of response packets flowing through to the intranetwork. Response packets are dropped when traffic levels reach some pre-defined threshold. However, rate limiting is primarily used to provide an acceptable quality of service to the underlying network infrastructure and indiscriminately drops both legitimate and malicious network traffic.
Therefore, there is a need for a solution to providing protection against spoofed RPC flood DoS attacks in networked computing environments, particularly TCP/IP-based environments. Preferably, such a solution would recognize unsolicited service responses in a discriminating, protocol-independent manner. Moreover, such an approach would operate efficiently without performing resource-intensive list checking nor requiring state to be maintained.
The present invention provides a stateless system and method for protecting a networked computing environment against spoofed remote procedure call (RPC) denial of service (DoS) attacks. An authentication system intercepts service requests from requesting clients. If the type of service request is recognized, a token is generated from data contained in the service request. The service request is then forwarded along with the token. The token is either embedded within the service request or added onto the end of the packet. The authentication system intercepts service responses from responding servers. The service response is analyzed, if of a recognized type. The individual fields within the token are validated and, if valid, the response packet is forwarded to the requesting client. Invalid responses are discarded.
An embodiment of the present invention is a system and method for preventing a spoofed remote procedure call denial of service attack in a networked computing environment. A hierarchical protocol stack defines a plurality of communicatively interfaced protocol layers. At least one protocol layer provides a client service via a remote procedure call interface. A request packet sent from a requesting client is intercepted. The request packet contains a service request being sent to a remote server via a remote procedure call. A token uniquely identifying the request packet is generated using data contained therein. The token is included with the request packet. The request packet and the included token is forwarded to the remote server indicated in the remote procedure call. A response packet containing a response sent from a remote server via the remote procedure call interface for the provided client service is received. The response packet is analyzed to determine whether the response packet includes a token uniquely identifying the response packet as having originated from the requesting client for the provided client service.
Still other embodiments of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein is described embodiments of the invention by way of illustrating the best mode contemplated for carrying out the invention. As will be realized, the invention is capable of other and different embodiments and its several details are capable of modifications in various obvious respects, all without departing from the spirit and the scope of the present invention. Accordingly, the drawings and detailed description are to be regarded as illustrative in nature and not as restrictive.