The Internet, also commonly referred to as the “web,” is a global system of interconnected networks that operate according to the Internet Protocol suite, allowing access to an extensive range of information that can be retrieved and accessed using the hypertext transfer protocol (HTTP). The Internet operates in a client-server format that distributes computing tasks and responsibilities between the service or resource providers, commonly referred to as “web servers,” and service requesters, called clients. Typically, web servers are configured to accept requests from all clients, and the HTTP request generally provides little information about the requesting client that would enable the web servers to determine the nature of the client's intentions in making the request. While this open communication model serves to facilitate the transfer of knowledge and information, it may also leave web servers vulnerable to “cyber attacks,” such as denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks.
In a DoS attack, a single client may attempt to overwhelm a server by sending a large number of requests to the server in rapid succession. As a result, an attacked web server may be slow or unable to respond to legitimate requests due to the burdens imposed on the server when servicing a flood of requests from a single malicious client.
The DDoS attack is a variation of the DoS attack. In a DDoS attack, rather than having a single client make all of the nuisance requests to the server, the attacker utilizes a network of different clients to simultaneously issue requests to the server. Such a network of requesting clients may be at the attacker's disposal, for example, by virtue of an in-place “botnet” in which hundreds or thousands of normal users' computers are infected by malware. This malware may be programmed to respond to commands issued by a central machine or authority, colloquially known as a “bot master.” Bot masters make use of such a collection of infected machines in order to implement a DDoS attack on a server or enterprise.
In a DDoS attack, because the flood of requests may be spread over a large number of disparate clients, each with a different IP address, it may be difficult to detect which requests originate from legitimate clients and which requests originate from malicious clients, such as compromised machines in a botnet. Thus, a server may not be able to determine which requests it should ignore and which requests it should service, because all requests may appear substantially identical over the larger pool of IP addresses. While DDoS attacks may be mitigated, conventional mitigation techniques suffer from a number of drawbacks.
There is therefore a need for methods and systems for overcoming these and other problems presented by the prior art.