A large number of organizations and enterprises have geographically dispersed operations, and typically have a local area network (LAN) supporting the information processing needs at each of these locations. Traditionally, interconnection of the dispersed LANs has been accomplished using dedicated communication lines leased from a service provider. In addition, Internet access at each site is typically accomplished using another leased line (such as a T1 or T3 line) that connects the site to a local Internet service provider. With the advent of virtual private network (VPN) technology, organizations can now accomplish inter-site network connectivity over the Internet. By obviating the need for dedicated lines between the sites, this solution yields substantial cost savings.
A VPN operates by transporting traffic between the sites using secure packet tunnels established over the Internet between these sites. Currently, there are three tunneling protocols that are used in a majority of commercially available VPN products, i.e., IP Security (IPSec), Point-to-Point Tunneling Protocol (PPTP), and Layer 2 Tunneling Protocol (L2TP). The tunnels established and maintained by these protocols may be viewed as implementing virtual leased lines between the geographically distributed LANs of an enterprise.
Although cost considerations clearly favor the use of inter-site VPNs over dedicated lines, one major impediment to the widespread employment of this technology is its vulnerability to network attacks. One type of network attack that represents a serious threat to enterprises operating over the Internet is the Distributed Denial-of-Service (DDoS) attack. A notable form of DDoS attack is the access link flooding attack that occurs when a malicious party directs spurious packet traffic over an access link connecting an edge network of an enterprise to the public Internet in an attempt to sabotage network operation. The attack traffic may be generated simultaneously from multiple points on the network from machines that have been “hijacked” or subverted by the attacker. This traffic flood, when directed at a victim edge network, can inundate the access link connecting the site to its Internet service provider. By usurping access link bandwidth from the VPN tunnels operating over that link, the attack can cause partial or total denial of the VPN service and disrupt operations of any mission-critical application that relies on that service.
A number of techniques have been proposed recently to detect and counter access link flooding attacks. These techniques typically rely on mechanisms that must be partially or wholly implemented within the service provider network infrastructure to identify the source(s) of attack traffic. Once this is accomplished, generally manual actions are required to neutralize the effect of this traffic. This may involve, for instance, the installation of filters to discard attack traffic at the ingress to the service provider network. With this semi-automated approach, the time interval between the onset of an attack and its neutralization can be expected to be on the order of minutes at best and hours at worst. This interval represents a window of vulnerability for a VPN operating over the attacked access link. Furthermore, when sending the packet traffic, the perpetrator may spoof a network address trusted by the enterprise, thereby making it difficult to filter the spurious traffic from the access link.