Networks such as intranets, extranets and the Internet are well known today. Computers and other devices reside on respective networks. (Some routers are contained within firewalls which perform a screening function as well as a routing function.) When a computer on one “source” network sends a message addressed to a computer on another, “destination” network, the message is forwarded from one router to the next until it reaches the destination network. There may be an Internet Service Provider (“ISP”) for the destination network, and a “site” router at the destination network to forward the message to the destination computer. Thus, computers and other electronic devices on different networks can communicate with each other.
Each message is divided into packets for transmission and routing according to a known internet protocol (IP) standard. Each packet includes a header and a payload. The header includes the IP address of the destination host, and the routers uses the IP address to know where to forward the message. The payload includes data such as a request or information. The payload also includes information such as the application port to provide the requested service, and the site router uses all of this information to determine which computer within the network to receive and process the message packet.
Most hosts have a respective, unique IP address. The source host embeds the IP address of the destination host in the header of each message packet. When the source network sends the message packets, routers en route to the destination network forward the message packets from router to router (in “hops”) until they reach the destination host. In a “multi-netting” architecture, there is more than one site network or destination network (typically owned by the same company) broadcasting the same IP address. Each such site has a different physical location, different site router and different MAC address (representing the respective site router). There are also one or more ISPs for each destination network within the multi-net, logically interposed between the site router for the destination network and the Internet (with its routers). The source network embeds the IP address of the multi-net in each message packet (probably unaware that the destination is a multi-net). When the source network sends the message packets, the routers en route to the multi-site send the messages to one of the ISP(s) for the multi-net along the path with the fewest hops, as described below.
Often, there are multiple possible paths or routes between a source network and a destination network (or site router). The routers know the various paths based on ongoing exchanges of router and network “topology” information between the routers. Typically, each router will determine a shortest (available) path to use for a message packet to reach its destination network, and then forward the message packet to the next (downsteam) router/hop in the path. There are different standards/protocols that can be used by each router to identify the shortest path to the destination network, such as Routing Information Protocol (“RIP”), Open Shortest Path First (“OSPF”), and Border Gateway Protocol (“BGP”). In the “BGP” protocol, each router broadcasts to other routers the path it uses to get to a destination network, via other routers or “nodes”. For example, a router B may broadcast that it uses router C to get to network D, a router G may broadcast that it uses router C to get to network D, a router I may broadcast that it uses routers F, G, and C to get to network D, and a router E may broadcast that it uses routers E, F, G, and C to get to network D. Based on these broadcasts, router F may determine that its shortest path to network D is via routers G and C, and forward message packets addressed to network D to router G. Router G will then forward these message packets to router C, and router C will forward these message packets to network D. In the OSPF protocol, “adjacent” routers exchange topological information. Typically, one router on each LAN exchanges topological information with neighboring routers. The OSPF protocol dictates that each router will send a message to its “adjacent” routers providing its state and network routing “costs.” The adjacent router then broadcasts the complete routing topology to all neighboring routers. The neighboring routers use this information to determine which path is best to send network traffic.
Unfortunately, many computers operated by “hackers” send “malicious” messages to other computers, typically via the Internet. One type of malicious messages can form a “denial of service” attack. In a denial of service attack, the individual messages may request ordinary services from the destination computer, but the messages are so numerous that they overwhelm the resources of the destination computer or the transiting networks. This degrades the performance/response time of the destination computer or networks for legitimate users/customers and, in extreme cases, may shut down the destination computer altogether.
When a denial of service attack occurs, it was known to trace back to their source network the messages suspected of being malicious. The trace back was performed by looking up the source network address in the received message header. After tracing back the messages to the source network, it was known to apply a filter in a firewall or site router to block subsequent messages from the IP address of this source network. However, it is not easy to identify the messages that are malicious. Also, to hide their identity, some hackers embed a phony source IP addresses in the message packets that they send. This is commonly referred to as source IP address “spoofing.” Consequently, when the destination network receives these message packets, the destination network (and its administrator) cannot identify the real source of the malicious messages, even when the malicious messages are identified and their headers examined.
Another known solution is to sequentially apply filters at the firewall or site router for the network subject to the denial of service attack. Each filter blocks a different individual or group of source IP addresses, and then checks if the malicious traffic is blocked. Unfortunately, this is a time consuming process, because there are typically many source IP addresses to block. Also, during the course of the tests, some bona fide messages may be blocked and lost, or unacceptably delayed.
An object of the present invention is to facilitate the identification of a source of malicious messages sent to a multi-net.
An object of the present invention is to facilitate the identification of a source of malicious messages sent to a multi-net environment, when the source IP address of the malicious message listed in the message packets is “spoofed.”
Still another object of the present invention is to facilitate the identification of a source of malicious messages sent to a multi-net, where the malicious messages constitute a denial of service attack.