One threat faced by Internet and other networks is a distributed denial of service (DDOS) attack. In such a scheme, a network device (commonly a server, i.e., a specialized computer used in an Internet-Protocol (IP)-based network) is bombarded with IP packets from many sources, in various forms including email, file transfers and so-called ping/UDP/ICMP floods, so that the network device (ND) is overloaded and rendered useless for normal operations. Typically, the participating sources are themselves victims because the offending instructions and codes were planted ahead of time (e.g., via computer viruses) to be activated simultaneously at some later date to overwhelm the ND. Traditional preventative methods, such as so-called “firewalls,” are not effective against such attacks because such methods can only be programmed against known threats and because the filtering they provide is not effective to prevent IP packets, which are normally harmless, from causing problems within the network.
Generally, networks attempt to detect the onslaught of a DDOS attack and identify the servers and sub-networks under attack. Because it is not known ahead of time which ND will be attacked, all traffic going to all NDs needs to be monitored, generally by devices known as network processors (NP). Consequently, the scalability of such a monitoring process is of paramount concern because of the potentially large number of servers, hosts, and sub-networks needed to be protected and the high volume of traffic that needs to be examined by NPs in real-time.
A monitoring process which attempts to monitor and catalog every detail of every IP packet is quickly overwhelmed. Thus, to effectively prevent DDOS attacks, NPs must operate using a minimum number of states or traffic statistics in order to keep storage and computational requirements within a practical range. Accordingly, there is need for highly efficient techniques for detecting, identifying and preventing DDOS attacks.