The present invention relates in general to networked computing environment protection, and, in particular, to a system and method for preventing a spoofed denial of service attack in a networked computing environment.
Computer networks form a central component of corporate information technology infrastructures. There are two types of networks. A local area network or xe2x80x9cintranetworkxe2x80x9d is a network operating within a single identifiable location, such as on one floor of a building. Individual computers and shared resources are interconnected over a single media segment. A wide area network or xe2x80x9cinternetworkxe2x80x9d is a network consisting of interconnected intranetworks and geographically computational resources which, when taken as a whole, comprise a unified set of loosely associated computers. The Internet, for example, is a public internetwork interconnecting clients worldwide.
Structurally, most internetworks and intranetworks are based on a layered network model employing a stack of standardized protocol layers. The Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described in W. R. Stevens, xe2x80x9cTCP/IP Illustrated,xe2x80x9d Vol. 1, Ch. 1 et seq., Addison-Wesley (1994), the disclosure of which is incorporated herein by reference, is a widely adopted network model. Computers and network resources using the TCP/IP suite implement hierarchical protocol stack that include link, network and transport layers. In addition, client and server end devices implement an application layer for providing or receiving services, such as electronic mail, content provision or resource sharing, to individual clients. The Transmission Control Protocol (TCP) provides a connection-oriented, reliable, byte stream service. Services offered in a TCP environment are session-based and TCP sessions must be initiated through a negotiated three-way handshaking sequence.
TCP-based networks are particularly susceptible to a type of attack known as a denial of service (xe2x80x9cDoSxe2x80x9d) attack. Ordinarily, a TCP server will reserve state, such as memory buffers, upon receiving a service request from a client in the expectation of having to process transient data packets during a session. However, a state consumption attack attempts to force a victim server to allocate state for unproductive uses during the three-way handshaking sequence. In a DoS attack, an attacker will cause a high volume of bogus service requests to be sent to a victim server which will continue to allocate state until all available state is expended. Thus, no state will be left for valid requesters and service will be denied. In addition, DoS attacks are difficult to detect because the bogus service requests are indistinguishable from normal network traffic.
One form of DoS attack employs xe2x80x9cspoofedxe2x80x9d packet source addresses. A spoofed packet is a data packet sent by a third party containing a source address other than the source address of that third party. The fraudulent source address could be the address of another system or might be a random source address that is valid yet not presently in use. Unfortunately, TCP does not provide means for ensuring that packet source addresses are not fraudulent. Attackers take advantage of this security hole by sending service request packets with fraudulent source addresses to disguise their identity. Consequently, tracing the source of spoofed DoS attacks is often meaningless and the attackers are virtually untraceable.
In the prior art, firewalls have traditionally provided a first line of defense against all types of attacks. Firewalls are placed at the boundary separating an intranetwork from a public internetwork and prevent network compromise by unauthorized users through packet filtering and proxies. However, firewalls fail to provide an adequate defense to DoS attacks for several reasons.
For instance, most firewalls filter packets by comparing the source addresses of incoming packets to lists of individual addresses and address ranges. However, these addresses and address ranges must be periodically loaded into the firewall. Loading this information once a DoS attack is underway is too late to be of practical use. Similarly, address range checking can be too restrictive and can filter out valid yet not presently connected addresses.
More importantly, though, most, if not all, of the packets used to produce a DoS attack will appear valid, as there is no a priori method to sort spoofed packets from non-spoofed packets. As well, application layer firewalls, such as might be incorporated directly into a server, risk running out of state at the TCP and IP protocol layers in the same manner as the underlying servers which they are attempting to protect. Finally, firewalls are typically installed within the infrastructure of an organization in front of the internal machine population, thereby providing no further protection beyond the protected machine boundary.
Therefore, there is a need for a solution providing protection against DoS attacks in a TCP-based computing environment. Preferably, such an approach would operate in a stateless fashion to protect the firewall from allocating state and thus ensure that the firewall would not run out of resources during a DoS. Moreover, such an approach would operate at a network layer in a protocol-independent manner.
There is a further need for a dynamic approach to packet validity checking which can detect spoofed, fictitious, and inactive addresses. Preferably, such an approach would validate all source addresses in an unintrusive manner.
The present invention provides a system and method for protecting against state consumption-type DoS attacks. Typically, DoS attacks can occur in TCP-based networked computing environments. A system, such as could be incorporated into a firewall, intercepts session request packets. A checksum, preferably cryptographic, is generated from information contained in the headers of each request packet. An request acknowledgement packet is sent to the source address indicated in the request packet headers with the checksum included as a pseudo sequence number. If an acknowledgement packet is received back, a second checksum is generated from information contained in the headers of the acknowledgement packet. The second checksum is compared to the acknowledgement number contained in the acknowledgement packet headers. If the checksum and acknowledgement number match, the session request is valid and a handshaking sequence is performed with the server. The sequence numbers of subsequent session packets are translated to account for the pseudo acknowledgement number.
An embodiment of the present invention is a system and a method for preventing a spoofed denial of service attack in a networked computing environment. A hierarchical protocol stack is defined. The hierarchical protocol stack includes a plurality of communicatively interfaced protocol layers with at least one session-oriented protocol layer. A packet requesting a session with the session-oriented protocol layer is received from the networked computing environment. The request packet includes headers containing a source address of uncertain trustworthiness. The request packet is acknowledged by performing the following operations. First, a checksum is calculated from information included in the request packet headers. A request acknowledgement packet is generated. The request acknowledgement packet includes headers containing the checksum as a pseudo sequence number and the source address in the request packet headers as a destination address. Finally, the request acknowledgement packet is sent into the networked computing environment. An acknowledgement packet is received from the networked computing environment. The acknowledgement packet includes headers containing an acknowledgement number. The acknowledgement packet is validated by performing the following operations. First, a validation checksum is calculated from information included in the acknowledgement packet headers. Then, the validation checksum is compared to the acknowledgement number. No state is maintained by the authenticating system until the comparison has succeeded.
Still other embodiments of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein is described embodiments of the invention by way of illustrating the best mode contemplated for carrying out the invention. As will be realized, the invention is capable of other and different embodiments and its several details are capable of modifications in various obvious respects, all without departing from the spirit and the scope of the present invention. Accordingly, the drawings and detailed description are to be regarded as illustrative in nature and not as restrictive.