“Worms” are programs that self-replicate across the Internet by exploiting security flaws in widely-used services. Well-known worms include Code Red (I and II), Nimda, Blaster, and Sasser. For example, Code Red I spread during the summer of 2001 by exploiting a security flaw in Microsoft® IIS web servers. Once it infected a server, the worm spread by launching 99 threads, each of which generated random IP addresses and attempted to compromise servers at these addresses.
The servers and networks infected by the worm often experience performance degradations. Such degradations are caused in part by the packets generated and received by an infected server as it attempts to discover and infect servers at random IP addresses (called “scanning”). For example, an infected server may send a large volume of SYN request packets to random IP addresses, each of which may respond with a SYN-ACK response packet. Such traffic may consume a large portion of the bandwidth of the connection of the infected network with the Internet. Additionally, SYN requests are typically buffered by the sending server for a period of time, tying up server resources.
Worms are sometimes used to launch a Denial-of-Service (DoS) attack, by controlling a large number of servers on the Internet. In a DoS attack, an attacker bombards a victim network or server with a large volume of message traffic. The traffic overload consumes the victim's available bandwidth, CPU capacity, or other critical system resources, and eventually brings the victim to a situation in which it is unable to serve its legitimate clients.
US Patent Application Publication 2005/0021740 to Bar, which is incorporated herein by reference, describes a method for processing communication traffic, including monitoring the communication traffic that is directed to a group of addresses on a network, and determining respective baseline characteristics of the communication traffic that is directed to each of the addresses in the group. Deviations from the respective baseline characteristics of the communication traffic directed to at least one of the addresses in the group are detected, as an indication that at least some of the communication traffic may be of malicious origin.
PCT Publication WO 03/050644 to Afek et al., which is incorporated herein by reference, describes a method for screening packet-based communication traffic. At least a first data packet, sent over a network from a source address to a destination address, is received. A determination is made, by analyzing the first data packet, that the first data packet was generated by a worm. In response to the determination, a second data packet sent over the network from the source address is blocked.
US Patent Application Publication 2002/0083175 to Afek et al., which is incorporated herein by reference, describes techniques for protecting against and/or responding to an overload condition at a node in a distributed network by diverting traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, pass a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim.
US Patent Application Publication 2003/0200464 to Kidron, which is incorporated herein by reference, describes a system for detecting and countering malicious code in an enterprise network. A pattern recognition processor monitors local operations on a plurality of local machines connected through an enterprise network, to detect irregular local behavior patterns. An alert may be generated after an irregularity in behavior pattern on a local machine is detected. Irregular behavior alerts from a plurality of local machines are analyzed. If similar alerts are received from at least a threshold number of local machines over a corresponding period of time, one or more countermeasure operations are selected based on the analysis of the irregular behavior alerts.
US Patent Application Publications 2004/0221190 and 2004/0199791 to Poletto et al., which are incorporated herein by reference, describe a system for detecting network intrusions and other conditions in a network. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator determines network events by aggregating anomalies into network events.
PCT Publication WO 03/055148 to Brendel, which is incorporated herein by reference, describes a network traffic evaluation device that may be used to warn of or prevent traffic abnormalities such as denial of service attacks. The device includes a data interface to receive one or both of network traffic and data indicative of characteristics of network traffic. The network traffic and/or data received by the data interface is processed for predetermined characteristics that indicate that the network traffic contains a subset of attack traffic.
The present invention will be more fully understood from the following detailed description of embodiments thereof, taken together with the drawings in which: