The development of the EDVAC computer system of 1948 is often cited as the beginning of the computer era. Since that time, computer systems have evolved into extremely sophisticated devices, and computer systems may be found in many different settings. Computer systems typically include a combination of hardware components (such as semiconductors, integrated circuits, programmable logic devices, programmable gate arrays, power supplies, electronic card assemblies, sheet metal, cables, and connectors) and software, also known as computer programs.
Years ago, computers were isolated devices that did not communicate with each other. But, today computers are often connected in networks, such as the Internet or World Wide Web, and a user at one computer, often called a client, may wish to access information at multiple other computers, often called servers, via a network. Although this connectivity can be of great benefit to authorized users, it also provides an opportunity for unauthorized persons (often called intruders, attackers, or hackers) to access, break into, or misuse computers that might be thousands of miles away. This unauthorized access may take a wide variety of forms, but will be referred to generically herein as a denial-of-service (DoS) attack.
In a denial-of-service attack, an intruder attempts to prevent legitimate users or organizations from accessing information, resources, or services that they would normally expect to have. Typically, the loss of service is the unavailability of a particular network service, such as e-mail, or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation. A denial-of-service attack may also destroy programming and files in a computer system, may cause system slowdowns or crashes, or may disrupt access to important online accounts, e.g., a banking account. Although often intentional and malicious, a denial-of-service attack can sometimes happen accidentally, although the destructive effect may still be the same. Denial-of-service attacks do not necessarily result in the theft of information or other security loss. Nevertheless, these attacks may still cost the target user or organization a great deal of time and money.
Although denial-of-service attacks may take many forms, one of the most common and obvious types occurs when an attacker “floods” or overloads a network with information, which is sometimes called a “broadcast storm.” To understand this type of attack, consider the actions taken when a user types a URL (Universal Resource Locator) for a particular web site into a browser. This results in the browser sending a request to that site's computer server to view the identified page. But, the server can only process a certain number of requests at once, so if an attacker overloads the server with requests, the server is not able to process requests from legitimate users.
Another type of denial-of-service attack occurs when an attacker uses spam email messages to launch an attack on a target user's email account. Whether users have an email account supplied by their employers or one available through a free service such as Yahoo or Hotmail, each user is assigned a specific quota, which limits the amount of data the user is allowed to have in the account at any given time. By sending many, or large, email messages to the account, an attacker can consume the user's quota, preventing the receipt of legitimate messages.
Another type of denial-of-service attack is often referred to as a “buffer overflow attack,” in which an attacker sends more traffic to a network address than the programmers who planned its data buffers anticipated someone might send. The attacker may be aware that the target system has a weakness that can be exploited, or the attacker may simply try a variety of types of attacks until one is found that works. A few of the better-known attacks based on the buffer characteristics of a program or system include: sending e-mail messages that have attachments with long file names, sending oversized Internet Control Message Protocol (ICMP) packets (this is also known as the Packet Internet or Inter-Network Groper (ping) of death), or sending email with a long “From” address.
Another type of denial-of-service attack is often referred to as a “SYN Attack.” When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exists to handle the usually rapid “hand-shaking” exchange of messages that sets up the session. The session-establishing packets include a SYN field, which identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer, which reduces the buffer space that the server can use to accommodate other, legitimate connection requests. Although the server drops the packet in the buffer after a certain period of time without a reply, the effect of many of these false connection requests is to slow the speed at which the server can establish legitimate requests for a session.
Another type of denial-of-service attack is often referred to as a “teardrop attack,” which exploits the way that the Internet Protocol (IP) requires a packet to be divided into fragments when the packet is too large for the next router to handle. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
In another type of denial-of-service attack, the attacker sends TCP (Transmission Control Protocol) packets with invalid flags in the header. The target server's TCP software will detect the error and discard the packet, but the act of interrogating the packet and determining that it is invalid still consumes valuable resources and processing bandwidth, especially when the server is inundated with many invalid packets.
Another type of denial-of-service attack is often referred to as a “smurf attack,” in which the attacker sends an IP ping (or “echo my message back to me”) request to a target server. The ping packet instructs the receiving server to broadcast the ping packet to a number of hosts within the receiving server's local network. The packet also indicates that the request is from another site, the target site that is to receive the denial-of-service. (Sending a packet with someone else's return address in it is called spoofing the return address.) The result is many ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic.
Computer viruses, Trojan horses, worms, or other potentially destructive code, which replicate across a network in various ways, can also be viewed as denial-of-service attacks where the victim is not usually specifically targeted but simply a host unlucky enough to get the virus. Depending on the particular virus, the denial-of-service can range from hardly noticeable all the way through completely disastrous.
Denial-of-service attacks may also be distributed, in which an attacker may use the computer of an unsuspecting user to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of the computers belonging to multiple unsuspecting users. The attacker then forces these computers to send large amounts of data to a web site or to send spam to particular email addresses. The attack is “distributed” because the attacker is using multiple computers to launch the denial-of-service attack.
One way that computers defend against these denial-of-service attacks is through a device commonly called a firewall. The firewall takes its name from the physical building structure that stops the spread of fire from one location to another. Analogously, a firewall in computer terms is hardware and/or software that stops an attack from entering the computer. The firewall typically examines incoming packets of data from a network and filters the malicious packets.
Current firewalls use a reactive approach where the same process handles detecting of malicious packets, filtering of the malicious packets, and routing of innocent packets. Further, the reaction of filtering and routing occurs immediately following the detection. The problem with simple reactive firewalls is that the time they take to recognize an attack by analyzing the incoming stream is taken directly from the time needed to execute existing firewall rules. Thus, the more complex the detection process, the longer the firewall takes to perform the normal operations of routing innocent network packets to their destination within the target server.
Some current firewalls have additional problems in that they may create false attack alarms due to an incomplete and inaccurate attack detection mechanism. The reason for many false alarms lies in insufficient packet analysis. Further, in existing firewalls, the packet detection process is often too tightly coupled with the network stack processing and packet filtering. For example, if the detection process has the same execution priority as the filtering process, this imposes a resource (e.g., CPU, memory) restriction on the complexity of attack detection. One technique for attempting to address the problem of attack detection and analysis is to use fast hardware implementation. Unfortunately, the hardware-based solutions are usually costly to manufacture.
Without a better way to detect and respond to denial-of-service attacks, users will continue to suffer from either reduced attack detection effectiveness or degraded throughput and false alarms.