Today's Internet infrastructure is extremely vulnerable to motivated and well-equipped attackers. Tools that may be used in network attacks can be easily obtained through publicly released network vulnerability assessment software or through covert exchanges among “hackers.” Well-publicized “hacking” attacks have focused attention on the security weaknesses that exist in many organization's networks. A series of Denial-of-Service (DoS) attacks were recently orchestrated in a distributed fashion against several high profile web sites of companies, such as Yahoo, eBay and Amazon. These attacks relied on the generation of thousands of IP packets from different sources to effectively deny service to a single victim. An effective DoS attack, however, does not necessarily require the generation of thousands of IP packets. It is well known that a single intruder packet can render a host inoperable for hours. For example, a DoS attack using WinNuke can exploit a bug in the Windows TCP/IP stack that relates to TCP packets with the URGENT or out-of-band (OOB) flag set in the packet header. When a machine receives such a packet, it expects a pointer to the position in the packet where URGENT data ends. Windows typically crashes when the URGENT pointer points to the end of the frame and no “normal” data follows. WinNuke, thus, has become the foundation for similar attacks that use a specially crafted packet to crash remote machines.
Accurate and reliable identification of attackers has been, up to this point, nearly impossible because the network routing structure is stateless and based largely on destination addresses. Thus, no records are kept in the routers and the source address is generally not trustworthy since an attacker can generate IP packets masquerading as originating from almost anywhere. Furthermore, if an attacker is able to infiltrate some other facility first, the attack can be launched from that site, making it harder for the target to identify the original source. Generally, attacks currently can be waged from the safety of complete anonymity.
Therefore, there exists a need for systems and methods capable of tracing back packets to their ingress point in a network, regardless of their claimed point of origin.