During the past 50 years, computer systems have evolved from isolated, stand-alone systems accessed through relatively slow, but relatively easily secured input/output systems (“I/O systems”), including printed-card decks and teletype consoles, to a world replete with ubiquitous personal computers, servers, mainframes, and enormous distributed computing systems that are highly interconnected through high-bandwidth electronic communications systems. A single computer may be potentially interconnected with tens, hundreds, thousands, or more external computer systems at any given time. The massive interconnection of computer systems has produced enormous benefits, not the least of which is interconnection of an enormous number of personal-computer users and organizations through the Internet. The Internet has, in turn, spawned entire new industries and now represents a mayor medium and framework for a wide variety of commercial activities. The extent to which evolution of the Internet has impacted human societies is apparent to anyone who, for example, was familiar with card catalogs and large reference sections in public libraries, now largely supplanted by Internet-based resources accessed through personal computers. Local and regional bookstores and music shops are disappearing as more and more people purchase books, CDs, software, and a variety of other consumer products from large Internet-based retailers.
Along with many advantages, massive interconnection of computer systems by electronic communications media has spawned a host of new problems, including a variety of different types of destructive communications-related activities, computer fraud, and even hijacking of large numbers of computer systems that then act together in a concerted fashion to attack and debilitate server computers and organizations, including launching denial-of-service attacks and SYN-flood attacks, to distribute spam email, and to distribute computer viruses and worms. Unfortunately, there are no easy solutions to many of these new problems. Electronic communications are very much a double-edged sword, providing great benefit and opportunities, but, at the same time, broadly exposing vulnerabilities in personal and computational security to malicious attackers as well as to unintentional lapses and malfunction of otherwise legitimate computational activities. Because of the varieties of communications-based threats and security vulnerabilities within computer systems, securing interconnected computers from intentional attack and inadvertent security lapses generally involve various layered, multi-tiered approaches and methods. Certain vulnerabilities will need to be contained and eliminated by increasing the security of individual computer systems, both at the hardware and at the operating-system levels. Other vulnerabilities may need to be addressed by constructing efficient and adaptive filters, checkpoints, and monitors at appropriate points in communications-related components of a computer system.
One type of security vulnerability to which current computer systems are exposed is a class of malicious or, in certain cases, unintentional patterns of communications requests that drain resources of a receiving computer to the extent that subsequent communications are severely degraded or completely disrupted. Examples of intentional efforts to exhaust communications-related resources within server computers include denial-of-service attacks and SYN-flood attacks, discussed further in subsequent sections of this document. Various strategies have been devised to inhibit denial-of-service and SYN-flood attacks, with various degrees of success. For critical computer systems, including domain-name servers and other foundation components of the Internet, better approaches are needed to thwart denial-of-service, SYN-flood, and other types of attacks that, when directed to Internet infrastructure, have the ability to degrade or completely disrupt Internet-based communications for significant periods of time, and, by doing so, disrupt commerce, critical information-provision services, and even compromise national defense and national security.