Data networks are used today to transmit vast amounts of data. Such networks comprise elements sometimes called nodes. Nodes may be, e.g., routers, switches, and/or end-hosts. Among those nodes, routers or switches are called network nodes. End-hosts can serve as the source or destination of data transmitted through a network. In many packet networks, data is transmitted between a source and destination device as a flow of packets. Flows of packets can be categorized by a wide range of factors including, e.g., the type of protocol used to form and/or transmit the packet and/or the specific type of application to which the packet corresponds.
As known in the art, it is common to monitor traffic flows and store flow statistics in a database, e.g., for purposes of load balancing and traffic route determination. Gathered traffic information for a node typically includes information such as packet flow rates and, for each flow, protocol type, application type, source IP address, source port number, destination IP address, destination port number, etc. Such detailed statistics along with information about the time periods in which such statistics are gathered can be used to group traffic flows into a wide number of classes depending on the intended purpose of grouping the traffic.
Flooding Network DoS (N-DoS) attacks occur in a network when one or more sources send large amounts of data to a destination node, e.g., web page server, in an attempt to interfere with the normal servicing of traffic at the destination node. Flows of traffic used to implement N-DoS attack can be considered malicious since their purpose is to interfere with the communication and servicing of legitimate network traffic.
Malicious flows associated with an flooding N-DoS attack often create congestion at certain nodes located prior to, i.e., upstream from, the flow's destination node. The nodes at which congestion occurs are sometimes referred to as bottleneck nodes.
As a result of malicious sources flooding a bottleneck node with traffic, legitimate traffic passing through the bottleneck node may be subject to dropping of packets thereby preventing legitimate communications. Thus, N-DoS attacks negatively effect legitimate users, and/or even cause its victim's services (e.g. web sites) to crash due to excessive loading.
One known technique for protecting against N-DoS attacks involves explicit signature capture and analysis. For example, those signatures can be communication port numbers, daemon names or commands, or contained in IP packet payload. Unfortunately these approaches can be ineffective and may result in negative consequences for legitimate users, because the signatures can change over time making a captured signature useless in identifying a malicious source during a subsequent attack.
Another disadvantage of the signature capture system is that the signature collection methods are an aftermath defense approach. Thus, such an approach helps in preventing future attacks with known signatures, but is of limited use during initial attacks.
In view of the above discussion, it is apparent that there is a need for methods of effectively identifying malicious traffic flows, e.g., traffic flows from individuals and/or sources involved in launching an N-DoS attack. There is also a need for methods and apparatus for reducing and/or eliminating the effects of malicious traffic flows associated with N-DoS attacks. It is desirable that at least some congestion control methods be capable of limiting malicious traffic prior to a significant collapse or restriction on legitimate network traffic occurs.