1. Field of the Invention
This invention relates generally to network denial of service attacks and, more particularly, to protecting against network denial of service flooding attacks.
2. Description of the Related Art
Society has become increasingly dependent on the Internet for daily activities as a result of the exponential growth of both government and business processes that make use of Internet technologies. The Internet's explosive growth is at least partially due to the scalability and fault-tolerance of its design principle, which pushes most of the complexity and state out toward the edges of the network, thereby making the network nodes relatively simple and easy to manage.
This simplicity, and a lack of built-in authentication, makes the Internet scalable and easy to manage but also very anonymous, as the configuration of the Internet makes it somewhat difficult to trace the source of transmitted packets. This has enabled the insurgence of network-based denial of service (DoS) attacks, in which packets are sent remotely and anonymously through the Internet with the goal of shutting down or greatly inhibiting a targeted end system from providing services over the Internet. The packets have adverse effects on the communication resources of targeted end-systems, thereby denying access to legitimate users that try to access the end systems.
Network-based DoS attacks can be generally classified in three categories: (1) implementation exploits; (2) protocol exploits; and (3) flooding exploits. Implementation exploits are DoS attacks that adversely take advantage of known deficiencies of certain implementations from specific end-system vendors in order to disable an end-system. Such implementation exploits are generally the least severe since they can be easily defeated by patching the vendor's implementation to overcome or resist the attack.
Protocol exploits are DoS attacks that misuse specific communication protocols and take advantage of the fact that many protocols are not designed to protect against hostile use of the protocols. For example, TCP SYN attacks or routing attacks are examples of protocol exploits that involve sending an excess number of TCP SYN packets to a targeted end-system. These attacks are not very easy to devise but are very severe, as they require changes or amendments to standards and therefore may be very expensive to fix.
Flooding exploits simply send large amounts of bogus traffic to a victim's end-system in an attempt to entirely consume the traffic capacity of the end-system and thereby shut down the victim's ability to service legitimate traffic. These exploits expose the lack of resource management in Internet Protocol (IP) networks and are very popular because of their relative simplicity and destructive outcomes. DoS flooding is facilitated by the general lack of Internet quality of service (QOS) control that permits uncontrolled, malicious acquisition and use of Internet bandwidth. Furthermore, the lack of security allows such destructive usage to be carried out anonymously.
Currently, DoS flooding attacks often are implemented through the wide availability and usage of several distributed DoS (DDoS) tools that allow attackers to anonymously and remotely control a number of attack hosts (“zombies”) that send floods of packets toward the victim(s) on a network or at an end-system. The DDoS tools send attack packets in an uncontrolled fashion to consume all or a large portion of the bandwidth at the victim's network. Furthermore, attacker anonymity is achieved by inserting random packet header fields into the attack packets to thereby misidentify the source of the packets. As a result, the offending traffic cannot be distinguished from the legitimate traffic and cannot be traced on the basis of the contents of the protocol headers.
The end result of these types of attacks is to anonymously prevent legitimate users from reaching the victim's network services. The attacks also subject the victim's network to crippling load conditions, as the network's replies to randomly generated source addresses flush route caches in routers and overload the route lookup mechanisms, which further aggravates the situation.
There are a variety of available DDoS tools for implementing DoS attacks. Such tools basically use three types of flooding packets: (1) TCP packets (such as SYN, ACK, RST, NULL); (2) ICMP packets; and (3) UDP packets. A new breed of attacks based on reflection are also being used. These types of attacks use a plurality of compromised zombie hosts to send TCP, UDP or ICMP packets with the source addresses in the packets set to the victim's network address. The zombies iteratively send the packets to a very large number of legitimate network endpoints. The network endpoints then reply to the packets, resulting in a flood of packets being sent to the victim's network address. The replies typically include SYN ACKs, ICMP echo replies, or any other application responses (such as a Gnutella connection request). Such techniques allow attacks to be much more distributed and also render any forensic techniques more difficult, as the zombies are only involved indirectly.
There are currently several existing techniques that attempt to mitigate the Internet DDoS flooding problem. With the exception of rate limiting, all these techniques decrease the anonymity of flooding packets in order to aid in identification and capture of the attackers responsible for the attack. However, the techniques do not prevent or alleviate the effectiveness of the actual flooding attack.
Rate limiting is one technique that reduces the effectiveness of DDoS attacks. According to this technique, rate-limiting filters are administratively applied at network locations to effectively reduce the amount of bandwidth consumed by certain types of packets at the network location in response to a detected rate of receiving packets. This limits the exposure to bandwidth attacks that use these types of packets. Unfortunately, most conventional DDoS attack methods spoof protocol headers in a way that is indistinguishable from legitimate production traffic (so that DDDoS packets appear to be legitimate HTTP traffic). Consequently, rate limiting of bandwidth for DDoS flood protection also limits the legitimate traffic.
Most firewalls today offer a rate-limiting functionality. However, a rate limiting functionality is only marginally useful as it does not provide any benefits against randomly spoofed bandwidth attacks. Furthermore, it does not prevent an attacker from consuming the bandwidth on the network side of the firewall. Consequently, rate limiting is only useful if it can be applied close to the source of the attack, where most of the traffic is malicious. However, rate limiting close to the victim's network through the use of firewalls or traffic shapers has two very undesirable consequences. One such consequence is that, during normal operations, rate limiting effectively reduces the capacity of the victim's network. Another consequence is that, in the presence of an attack, rate limiting lowers the bandwidth threshold necessary for an adversary to force the rate limited system to start dropping legitimate packets.
Ingress filtering is another technique for countering DoS attacks. Ingress filtering does not directly eliminate DDoS flooding attacks, but rather prevents spoofing of source addresses through the use of preventive administrative filtering at a network ingress point. Spoofing source addresses is one of the techniques used to hide the origin of flooding packets or to control packets that can cause flooding to occur, thus making DDoS safer to be carried out from the attacker perspective. Ingress filtering uses a router that checks to ensure that each packet sent into the Internet by an Internet Service Provider (ISP) has a source IP address that belongs to the administrative domain of the router performing the check.
If ingress filtering were universally applied, source addresses of flooding packets could be used to track down the sending ISP and eventually the attackers. However, in practice, ingress filtering is very difficult to promote and adopt universally, as it requires ISPs to dedicate router computing resources to check all outgoing routed packets, thereby reducing the effective throughput of the ISP. Consequently, ingress filtering is not a viable solution to DDoS flooding because it may only reduce the number of available launch platforms (excluding the ones that apply ingress filtering), thus providing only a partial solution. Furthermore, ingress filtering may reduce the occurrence of only certain attacks and may not deter DDoS attacks that are carried out with the collusion of the ISP, such as in international electronic warfare or electronic terrorism.
Packet marking is another technique for countering DoS attacks. Packet marking requires the modification of some packets as they are being forwarded by routers. Packet marking helps in reconstructing the origin of a flood and thus could be used to trace attackers. This technique has the same general limitations of ingress filtering, but may be more useful in the short term, as packet marking could be applied in a more controlled way to a given protection domain without requiring cooperation of the Internet community as a whole. Several marking schemes have been proposed to probabilistically overload certain fields in the IP headers to provide enough information to the victim to reconstruct the forwarding paths. This can be accomplished in various ways, such as to use the offset bits in a packet to encode the ID number of a router used to route the packet and thereby permit reconstruction of the sequence of routers through which the packet traveled.
One drawback of packet marking is that it requires some additional amount of computation in the routers, thereby consuming computation resources and limiting throughput. Furthermore, the victim's network (end-system) must perform a significant amount of computation to extract from the marked packets enough information to be able to identify the forwarding path. Another drawback is that large amounts of bogus markings can be injected into the packet stream to either confuse the detection algorithm or create a disabling DoS condition on the hosts performing the path computation.
Thus, there are currently a variety of ways of dealing with DoS flooding attacks, but each has its own drawbacks. Rate limiting does not effectively work against packets with randomly-spoofed source addresses and can also limit the performance of legitimate traffic. Ingress filtering requires the cooperation of one or more ISPs, which is not practical. Packet marking is computationally expensive from the standpoint of the protected network. In view of the foregoing, there is a need for an improved method and apparatus for effectively detecting and protecting against DoS flooding attacks on a computer network.