A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. The packets are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
Certain devices, referred to as routers, maintain routing information that describes routes through the network. A “route” can generally be defined as a path between two locations on the network. Conventional routers often maintain the routing information in the form of one or more routing tables or other data structures. The form and content of the routing tables often depend on the particular routing algorithm implemented by the router.
Upon receiving incoming packets, the routers examine information within the packets, and forward the packets to other devices within the network in accordance with the routing information. In order to maintain an accurate representation of the network, routers exchange routing information in accordance with routing protocols, such as the Border Gateway Protocol (BGP), the Intermediate System to Intermediate System (ISIS) protocol, the Open Shortest Path First (OSPF) protocol, and the Routing Information Protocol (RIP).
When two routers initially connect, they typically exchange routing information. From then on, the routers send control messages to incrementally update the routing information when the network topology changes. For example, the routers may send update messages to advertise newly available routes, and to withdraw routes that are no longer available. The control messages communicated between network devices, such as routers, is often referred to “control plane” network traffic. In contrast, the network traffic received and forwarded by a router is often referred to as “data plane” network traffic.
A network device, such as a router, server, workstation, or other device, can be susceptible to a network attack. A denial of service (DoS) attack, for example, occurs when a malicious party directs a high volume of packets to the network device in an attempt to sabotage network operation. The high volume of traffic can overwhelm the network device, leaving it unable to process other packets. For example, in one type of DoS attack, a perpetrator sends a large number of “ping” requests to network broadcast addresses, which are special addresses used to broadcast messages to other devices on the network. When sending the requests, the perpetrator spoofs the source address of a network device targeted by the attack. In response to the requests, the other network devices reply to the targeted routing device, thereby inundating the targeted routing device with packets.
One technique for preventing or otherwise reducing the effects of attacks on devices within a network is to introduce a “firewall.” The firewall is often a dedicated device that provides stateful analysis (i.e., inter-packet analysis) of the network traffic, and is typically placed between the network and a router coupled to an external network, i.e., “behind” the router. Placing the firewall behind the router protects devices within the network, but leaves the router exposed to external network attacks.
Another technique is to place the firewall between the router and the external network, such as a service provide network. This technique, however, may adversely impact the bandwidth available to receive traffic from the external network as the firewall is typically unable to match the level of bandwidth supported by the router.