A Distributed Denial of Service (DDoS) attack occurs when a target device, such as a network server or website, can no longer service legitimate requests because it is overwhelmed with malicious requests initiated from one or more attacking devices.
As shown in FIG. 1, a possible DDoS attack infrastructure 100 may include an attacker 105 in communication with a plurality of vulnerable servers 110, 115, 120, 125 and a target device 130 in communication with the plurality of vulnerable servers 110, 115, 120, 125. A DDoS attack on the target device 130 may be initiated by the attacker 105 through the vulnerable servers 110, 115, 120, 125 in an attempt to render the target device 130 unavailable to an intended user, such as preventing access by a user to a web site or a network server.
Two broad classes of DDoS attacks are known to include volumetric DDoS attacks and application layer DDoS attacks. Volumetric DDoS attacks are focused on filling up the network bandwidth of the target device 130. In a volumetric DDoS attack, the attacker 105 spoofs its source address, thereby hiding the identity of the attacker 105, and instead uses the source addresses of multiple vulnerable servers 110, 115, 120, 125 to send data packets to the target device 130. The attacker 105 may initiate a volumetric DDoS attack by sending multiple Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets to the vulnerable servers 110, 115, 120, 125. The vulnerable servers 110, 115, 120, 125 respond by replying to the target device 130, thereby quickly overwhelming the target device 130. In an application layer DDoS attack, the attacker 105 may send a rapid succession of connection requests from spoofed source addresses of the vulnerable servers 110, 115, 120, 125 requesting to open a connection with the target device 130. The target device 130 then sends request acknowledgements to each of the vulnerable servers 110, 115, 120, 125, however, the vulnerable servers 110, 115, 120, 125 did not initiate the connection request and therefore never reply with an acknowledgement. As the pending acknowledgements from the vulnerable servers 110, 115, 120, 125 increase, eventually the target device 130 is no longer able to accept any new connections from legitimate sources.
Systems and methods are known for mitigating DDoS attacks by identifying attackers based upon the spoofed source address in the data packets received at the target device 130 and either blocking or rate limiting the data packets based upon the source address. However, the data packets may include such a wide variety of source addresses spoofed by the attacker 105, that it is generally impossible to block just the malicious data traffic, which is indistinguishable from the legitimate data traffic.
Accordingly, what is needed in the art is an improved system and method for mitigating Distributed Denial of Service (DDoS) attacks.