1. Technical Field
This invention generally relates to protection of internet servers, and more specifically relates to an apparatus and method for detection of a denial of service attack on an internet server.
2. Background Art
Denial of Service (DoS) attacks are a common type of computer crime that disrupt a network server and cause both networking problems and financial damage to owners of an internet server. The attack is orchestrated by individuals, sometimes called hackers, that want to disrupt the internet servers of a company or organization. The oldest and most common form of DoS attack is the SYN-flood. A SYN flood is a network transport layer attack that takes advantage of the protocols used to establish connections over Transmission Control Protocol (TCP). Communication between a client and a server (or two hosts) is typically done using TCP to make a connection between the client and server. When a TCP connection is started, the two machines that are involved exchange a series of brief messages called a “handshake”. This handshake consists of the client sending a synchronization (SYN) message, the server sending a SYN and an acknowledge (ACK) message and the client finishing with a final ACK message. At the reception of the final ACK message both sides of the connection are ready to communicate.
In a SYN flood, a client (or many clients in a distributed attack) will send large numbers of SYN messages with spoofed source addresses and ports. Since the source addresses and ports are spoofed, there will never be a final ACK to the server. Responding to the large number of SYN messages uses up networking bandwidth, CPU, and memory on the server making it harder for legitimate users to access the server. Before countermeasures were developed, this could also crash the server by using up all of the system's memory.
A number of algorithms for dealing with a SYN flood have been developed. These include random dropping of incomplete connections when a predefined backlog is full, SYN cacheing using a global hash table, firewall based solutions to proxy the server and preserve its resources under an attack, and leaf node router solutions that intercept the attacks at the source. All of these countermeasures help mitigate the problem but none of them are able to distinguish between a demand spike and a true DoS attack.
A demand spike is a sudden increase in legitimate server traffic. Normally servers can expect to have somewhat predictable demand curves. Sometimes, however, connection requests far exceed the planned server capacity and look functionally identical to DoS attacks. A typical reason for a demand spike is a link from a popular news site or blog. In order to take the appropriate action, it is useful for the internet administrators to know whether a sudden increase in server traffic is a DoS attack or just a demand spike.
Without a way to more effectively detect a DoS attack compared to a demand spike, internet administrators will continue to be unable to properly respond to a DoS attacks and demand spikes.