This invention relates in general to computer systems and networks. More specifically, the present invention relates to a network interface controller (NIC) that receives communication packets from a computer network.
The interface between a computer and a network is often a bottleneck for communications passing between the computer and the network. While computer performance (e.g., processor speed) has increased exponentially over the years and computer network transmission speeds have undergone similar increases, inefficiencies in the way network interface circuits handle communications have become more evident. These inefficiencies involve several basic problems in the way communications between a network and a computer are handled.
Today's most popular forms of networks tend to be packet-based. These types of networks, including the Internet and many local area networks, transmit information in the form of packets. Each packet is typically separately created and transmitted by an originating end station and is separately received and processed by a destination end station. In addition, each packet may be received and processed by numerous stations located between the originating and destination end stations.
One problem concerning the interaction between present NICs and host computer systems is that the rate at which packets are transferred from a network interface circuit to a host computer or other communication device may fail to keep pace with the rate of packet arrival at the network interface. One element or another of the host computer (e.g., a memory bus or processor) may be over-burdened or otherwise unable to accept packets with sufficient speed. In this event one or more packets may be dropped or discarded. Dropping packets may cause a network entity to re-transmit some traffic and, if too many packets are dropped, a network connection may require re-initialization. Further, dropping one packet or type of packet instead of another may make a significant difference in overall network traffic. Unless the dropping of packets is performed in a manner that distributes the effect among many network connections or that makes allowance for certain types of packets, network traffic may be degraded more than necessary.
One type of situation that typically leads to a high rate of packet arrival at the network interface is a so-called denial of service (DOS) attack, which includes attacks known as distributed denial of service (DDOS) attacks. DOS attacks are usually malicious in nature, and firewalls are typically used as a defense against such attacks. Firewalls are designed to allow desired traffic in while keeping undesired traffic out. A challenging problem is how to operationally survive a DOS attack when the undesired traffic is saturating the processing capability and bandwidth of the network. Although undesired packets are excluded during such saturation, desired packets also are often failing to pass through the firewall.
A serious problem created by a DOS attack (and especially a DDOS attack) is the degradation of a firewall's ability to process packet streams. When a typical firewall is inundated with traffic, it can quickly become overwhelmed with the burden of classifying and discarding traffic, regardless of available bandwidth, to the point where valid connection traffic cannot be serviced.
One common form of DOS attack bombards a firewall with so much rejected traffic that the firewall is unable to forward allowed traffic. DOS attacks do not always involve heavy loads, however. DOS typically describes any state in which a firewall is offered rejected traffic that prohibits the firewall from forwarding some or all allowed traffic. In some cases, even a small amount of traffic may significantly degrade firewall performance, or effectively shut down firewall processing altogether. Further, safeguards sometimes used in firewalls to guard against such attacks may have a significant negative impact on performance.
In a typical DDOS attack, an attacker “highjacks” a large number of often widely dispersed computers that have previously been infected by a worm that carries DOS tools as the payload. The DDOS agents or “zombies” are directed to attack a specific IP address. This type of focused network attack is designed to effectively shut down the network device's Internet presence. There are operating system (OS) specific attacks, such as Jolt 2 and others, which target end hosts, but attacks to shut down networks are typically based on packet flooding.
SYN flooding was a formerly popular type of attack, but is rare today because of widely implemented techniques that reduce its effectiveness. More prevalent are UDP or ICMP attacks, like DNS flooding, Trinoo, TFN, and similar variants, as well as worm attacks such as Blaster. When these flood attacks hit, legitimate traffic cannot get into a corporate network from outside. Inability to process the high rate of small packet traffic is normally the reason. In many cases, a network device like a firewall runs out of resources, whether processing power or memory, when inundated with a seemingly endless stream of traffic from a DDOS attack.
Firewalls have a specific role in the protection of the network and allow or deny traffic to pass based on a simple or complex set of rules. Most high performance firewalls today count on normal network traffic behavior in matching the resource capacity to the bandwidth. Normal traffic has a mix of packet sizes and an established flow, which eases the processing burden for a firewall. Packet data on an established flow can be more easily matched, processed, and forwarded than the additional processing required in classifying and creating the flow for an initial packet transiting the firewall. Yet, this is the type of focused demand that a DDOS attack creates on the firewall.
Some DDOS attacks have a defined fingerprint (or a trait such as port spoofing) that can be detected by a firewall to filter the traffic from infiltrating a network. Other DDOS attacks are masked as legitimate traffic which may be allowed through by the firewall rules. In either case, each incoming packet must be processed by the firewall, and during a packet flood, that may be an impossible task if the needed capacity isn't available.
Host processors are typically connected to a network using a NIC and in normal operation regularly receive communication packets from, and send communication packets to, the NIC. When under a DDOS attack, existing host processors often do not have sufficient time to process the packets received from their NICs because they devote most of their time handling the interrupts, buffering packets and discarding those same packets as their input buffers become full. Most existing NICs provide interrupt coalescing to help alleviate this problem, but this typically only helps during the processing of normal traffic. During a DDOS attack, interrupt coalescing provides only limited relief. Existing NICs also provide priority queues so that, during normal traffic conditions, higher priority traffic can be processed while lower priority traffic may be dropped. Priority queues also only provide fairly limited assistance in alleviating the adverse effects of a DDOS attack.
Existing NIC devices typically only discard packets when their internal buffers overflow, which indicates that the host processor processing capability is not able to keep up with the packet arrival rate at the NIC. This usually indicates that the host processor is already fully occupied in attempting to handle the DDOS packets being received from the NIC. In this situation, the host processor is unable to do any significant processing on the actual content of the packets as it is too busy handling interrupts from the NIC, moving packets from one host processor queue to another, and discarding packets as its buffers and queues overflow.
In light of the above, it would be desirable to have a system and method that provides improved handling and processing of packets during a DOS or other type of attack, that provides improved processing of desired new or existing network connections while maintaining network protection from an attack by rejecting or dropping proscribed packet data as it is received, and that provides improved dropping of undesired packet traffic without severely decreasing desired packet traffic.
The exemplification set out herein illustrates an embodiment of the invention in one form, and such exemplification is not intended to be construed as limiting in any manner.