Networks are constantly exposed to security exploits that are of significant concern to network providers. For example, Denial of Service (“DoS”) attacks can cause significant damage to networks and networked devices. A DoS attack is defined as an action taken upon on a computer network or system by an offensive external device that prevents any part of the network from functioning in accordance with its intended purpose. This attack may cause a loss of service to the users of the network and its network devices. For example, the loss of network services may be achieved by flooding the system to prevent the normal servicing for performing legitimate requests. The flooding may consume all of the available bandwidth of the targeted network or it may exhaust the computational resources of the targeted system.
A Distributed Denial of Service (“DDoS”) attack is a more aggressive action that involves multiple offensive devices performing an attack on a single target computer network or system. This attack may be performed in a coordinated manner by these multiple external devices to attack a specific resource of a service provider network. The targeted resource can be any networking device such as routers, Internet servers, electronic mail servers, Domain Name System (“DNS”) servers, etc. Examples of a DDoS attack include (but are not limited to): large quantities of raw traffic designed to overwhelm a resource or infrastructure; application specific traffic designed to overwhelm a particular service; traffic formatted to disrupt a computer device from normal processing; traffic reflected and/or amplified through legitimate computer devices; traffic originating from compromised sources or from spoofed IP addresses; and pulsed attacks (which start/stop attacks).
Other network security threats include Trojan horse attacks that may be embedded in harmless software, viruses that can reproduce themselves and attach to executable files, worms that can spread via stored collections of e-mail addresses, and logic bombs that can remain dormant until triggered by an event (e.g., a date, user action, random trigger, etc.).
Threat management systems (TMSs) usually use deep packet inspection to mitigate network attacks (e.g., DDOS attacks), however such close inspection of every packet consumes a large amount of resources of the TMS, such as central processor unit (CPU) and memory resources. A method of reducing consumption of TMS resources includes using a blacklist that includes a list of entries. Each entry includes a characteristic of network traffic that has been identified as being associated with an attack, such as the address of a source of the network traffic. The network traffic can be compared to the blacklist entries for blocking network traffic that has a characteristic that matches any of the entries.
Different types of blacklists can be used, such as software or hardware implementations at different locations relative to the TMS, such as using software internal to the TMS, at the edge of the TMS (e.g., an in-chassis switch), or a device physically remote from the TMS. Each implementation using a blacklist has associated advantages and disadvantages. These disadvantages can interfere with efficient mitigation of network attacks.
Such conventional methods and systems have generally been considered satisfactory for their intended purpose. However, there is still a need in the art for efficient use of different types of blacklists that take into account the advantages and disadvantages of each type of blacklist. The present disclosure provides a solution for these problems.