A Distributed Denial of Service (DDoS) attack can compromise and debilitate the bandwidth and resources not only of the targeted system, but of entire networks. Legacy routers and traditional surveillance and monitoring techniques have major limitations in defending against DDoS attacks on their own—both in terms of the attack detection accuracy and in scaling performance (i.e., to be able to perform detection and potentially mitigate attack traffic while still allowing legitimate users access to the server, at high speeds of the order of tens of gigabits per second).
From the point of view of detecting traffic anomalies, all types of attacks can be broadly grouped into two categories: “high-rate” and “low-rate.” A low-rate attack is typically geared towards TCP applications wherein bursts of attacks are sent over a short period of time to exploit TCP's inherent exponential back-off mechanism. Low-rate attacks often involve short bursts of attack traffic followed by a lull of no traffic, with this pattern repeating over and over. In contrast, high-rate attacks are typified as a constant flood of activity from multiple connections that involves a sudden surge in the packet, byte, or flow count towards the victim server. A variety of protocols are prone to high-rate attacks (e.g., ICMP ping flood, UDP flood, TCP SYN attack) such that a system for detecting and mitigating a high-rate DDoS attack must address a wide range of flood-attacks.
Anti-DDoS systems and security appliances (Intrusion Detection/Intrusion Prevention systems) target the detection of specific DDoS attacks and hence require CPU-intensive operations. The tremendous amount of state information needed to detect every type of attack greatly limits system performance and precludes having a scalable solution (i.e., a solution that can scale to the order of tens of gigabits per second). Several reported instances of devices crashing during a DDoS attack in the recent past demonstrate the ease with which security appliances/anti-DDoS systems can be overwhelmed, thereby defeating the purpose of having such a device in the network. The rapid response necessary to detect and mitigate DDoS attacks can degrade data path and CPU performance in the current model of security devices.
Legacy routers and Layer 3 devices that support DDoS attack detection, use a range of traffic anomaly algorithms that are primarily based on sampling packets from the data path. Such an approach can be fairly inaccurate (as it is plagued with a high false positive or false negative rate) and it can result in degraded data path or CPU performance, depending on the sampling frequency used. During a high-rate attack, a majority of the flows (e.g., identified using five tuple) may have very few (as low as just a couple) packets in them (see related patents under “Cross-references” for more details on “flows”). The typical packet sampling techniques will fail to detect such attacks due to missed samples from the flow, especially if the sampling frequency is too low. A higher sampling frequency with an improved attack detection can be achieved, but will result in degraded data path (or CPU) performance.
Once an attack is successfully detected, standard mitigation tactics are also inadequate in resolving a DDoS attack. Typical mitigation policies involve discarding all packets destined to the victim server without analyzing whether the packets originated from a legitimate user or an attacker. Also, standard approaches do not offer the ability to export real-time data to other apparatuses, nor do they allow an operator to configure a flexible, customized policy.
As such, a new, scalable, and robust DDoS Detection and Mitigation approach with inherent intelligence, which addresses all the shortcomings discussed above, is needed. Such an approach maintains accurate state information to check for anomalous traffic patterns (to detect a variety of high rate DDoS attacks), can distinguish between an attacker and a legitimate user when an attack is detected, allows an operator to configure a flexible mitigation policy (that may include exporting real time flow data to other apparatuses for further analysis), and can operate without degrading the overall system performance (forwarding data path or control plane CPU).