The expansion of the Internet and other data communications networks has been accompanied by an increase in the risk that such networks may experience data flooding. Data flooding, as the phrase implies, occurs when a host system connected to the network becomes partially or completely inoperable owing to its resources—processing capability, memory, physical links—being overwhelmed by a transmission of too much data too rapidly to the host system. With respect to data communication network security issues, in particular, data flooding underlies a wide range of security threats commonly referred to as denial-of-service (DoS) attacks.
One example of a DoS attack is SYN flooding in which an attacker floods a network server or other host system component with data in the form of transmission control protocol (TCP) SYN packets having so-called spoofed IP addresses. Unable to differentiate between legitimate SYN packets and spoofed SYN packets, the server completes the first two steps of the TCP's well-known three-way handshake procedure, but the third step is never completed by the attacker. Accordingly, the server is left with an ever-increasing number of open connections that can severely and indefinitely tie up the server's resources.
Yet another type of DoS attack is a distributed denial-of-service (DDoS) attack. In a DDoS attack, the attacker may initially obtain access to users' accounts on numerous hosts connected to the communication network (e.g., the Internet), for example, by “sniffing” passwords or breaking into users' accounts. The attacker can then install and run slave programs on the various compromised hosts. These slave programs, in turn, can generate large amounts of data that the attacker can direct at the attacked host to cause data flooding.
In recent years the number of such DoS attacks has risen, among them being some notorious ones against widely known Web sites such as those of Amazon, eBay, CNN, and Yahoo. Such attacks can cause significant economic losses, but yet, protecting against the attacks is difficult and costly. Current methods of packet filtering can be problematic because of difficulties, among others, in distinguishing between transmission of legitimate data and transmission of flooding data. Much of the current research into methods of mitigating DoS attacks focuses on techniques to combat spoofing, which, as noted above, is used to facilitate DDoS attacks. Other research has concentrated on ingress filtering, route-based packet filtering, and various IP traceback protocols.
The effectiveness of many, if not all, of these current safeguards against DoS attacks depends heavily on how widely deployed they are. Specifically, effectiveness can be severely diluted if, for example, only a few of the edge and core servers of the network are configured to implement one or more of the techniques described above. Moreover, even if current safeguards are widely deployed, there may yet be associated problems in terms of security, management, or efficiency. For example, with the aggregate-based congestion control (ACC) technique that has been proposed for rate-limiting data flooding from an identified source, a router congested by data flooding, sets a local rate limit that in a succession of steps is expanded to other routers—both edge and core routers—throughout the network. The result is a dynamic rate-limit tree that can be costly to maintain. More generally, no device or mechanism has been put forward to date that effectively and efficiently mitigates data flooding exclusively at the edge nodes of a data communication network.