The field of the invention relates to computer systems and computer networks, and more particularly, to systems and methods for detecting and preventing flooding attacks in a network environment.
Flooding attack is a type of computer/network intrusion in which the attacker causes a high volume of sessions/connections to be created against a receiver, thereby “flooding” the computer/network of the receiver. Examples of flooding attacks include TCP flooding attacks (such as SYN flooding attacks), UDP flooding attacks, and ICMP flooding attacks. A SYN flooding attack is a connection based attack that uses TCP packets to attack a network (or a part of a network, such as a firewall), thereby overflowing session tables and/or exhausting available bandwidth. UDP flooding attack and ICMP flooding attack are non-connection based attacks, which are carried out by overflowing virtual session tables and/or exhausting available bandwidth.
For TCP connection, the traditional SYN proxy prevention technique involves tracking each received SYN packet, regardless of whether it belongs to flooding traffic or legitimate traffic, thereby requiring a tremendous amount of system resources, such as memory, CPU cycles, storage space, and processing time. Some conventional flooding prevention devices are configured to transmit a SYN-ACK packet in response to a received SYN packet, acknowledging to a sender of the SYN packet that the SYN packet has been received. Such is performed for every SYN packet, regardless of whether the sender is a legitimate user or an attacker. These flooding prevention devices require a lot of memory and system resources in order to keep track with the received SYN packets and the SYN-ACK packets. If a flooding attack is relatively heavy, the system resources of the prevention device could be exhausted by the flooding attack. In some cases, the additional SYN-ACK packet from the prevention device may double the flooding traffic, thereby causing legitimate traffic to be dropped even at link layer.