1. Technical Field
The present application relates generally to mitigation of distributed denial-of-service attacks.
2. Description of the Related Art
Denial-of-service (DOS) attacks are a growing concern for website and web service providers. In a DOS attack, one or more attackers attempt to render a network resource effectively unavailable to legitimate users, typically by “flooding” the resource with communications requests. The flood of requests may exploit bugs or insecurities in the targeted computer resource, or else may simply overwhelm the targeted computer resource through the sheer volume of requests. For example, a DOS attack may be designed to consume the target network resource's available network bandwidth, server memory, processor time, hard drive or database space, request queues, database connections, or other resources. A DOS attack may not result in actual failure of the targeted network resource; however, the target may consequently fail to provide access to legitimate clients and requestors because it lacks the resources to service legitimate requests.
Some DOS attacks originate from a single attacking device that repeatedly issues requests to the targeted resource, optionally exploiting bugs or insecure features at the target. Other, distributed, attacks (termed distributed DOS attacks) originate from a number of attacking devices that may participate with or without their respective user's consent. Attacks are frequently implemented at the application level of the TCP/IP stack, since the targeted computer resource's services are typically exposed at this level. For example, a DOS attack may use HTTP request messages and/or web service application programming interfaces (APIs) as entry points.