Field
Embodiments of the present invention generally relate to detection and mitigation of Denial of Service (DoS) attacks. More particularly, embodiments of the present invention relate to mitigation of DoS attacks by a DoS mitigation device based on the health/performance status of one or more protected network devices that the DoS mitigation device protects.
Description of the Related Art
As more and more devices of different types and form factors are connected to the Internet, and to infrastructures e.g. transportation systems, healthcare systems, financial transaction platforms, education systems, traffic management systems, among others, the devices and users thereof are becoming dependent on the access to Internet, and it is also becoming desirable that the Internet becomes and remains secure along with providing maximum availability. However, the challenge that the Internet faces is from cyber attackers who are armed with different types of cyber attacks e.g. Denial-of-Service (DoS) attacks and, in particular, distributed Denial-of-Service (DDoS) attacks, phishing techniques, spamming, and so on. Cyber attackers have different intents and attack computer systems/networks to disrupt services to legitimate users or to get financial, strategic, and or political gain.
A DDoS attack is one that is critical and represents a continuous cyber threat that attacks protected devices e.g. servers or other critical infrastructure or resources of a protected network to make the protected devices, computer systems/machines, or a protected network resource, unavailable to legitimate users. A typical DDoS attack causes loss of service or network connectivity to legitimate users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a protected device or of a protected network connected to the Internet.
Most common DoS attacks aim to exhaust computational resources e.g. connection bandwidth, memory space, or CPU time by, for example, flooding a target network node/resource with valid or invalid requests and/or messages. A typical DDoS attack is initiated by one or more people or zombies/bots so as to burden an intended protected device, for example, a server, with numerous dummy requests. A DDoS attack is basically a DoS attack that, instead of using a single computer as a base of attack, uses multiple compromised computers simultaneously, possibly a large or a very large number of them, thus amplifying the effect, so as to exhaust the resources of protected device or network. Resources of protected device e.g. a server, an authentication engine, a database, among others are exhausted by such false requests of service to an extent such that the protected device is not be able to serve even the genuine/legitimate users.
In sum, illegitimate users/bots flood the network with an overwhelming number of packets that exhausts the network or application resources. In particular, the packets may be targeting one particular network node, for instance a router, a switch, a gateway, an application server, causing such node to crash, reboot, or exhaust its computational resources. The compromised computers, which are also commonly referred to as zombies, are typically infected by malicious software (worm, virus, or Trojan) in a preliminary stage of the attack, which involves scanning a large number of computers and searching for those vulnerable. The attack itself is then launched at a later time, either automatically or by a direction action of an attacker.
As described above, these DDoS attacks have become a common tool of hackers for targeting a web service or a network resource. By bombarding a server with traffic, they can make it impossible for legitimate users to secure a connection, effectively taking a site offline.
Prior solutions attempt to detect DDoS attacks and prevent such attacks by monitoring and filtering traffic directed to the protected device. Attempts have also been made to distinguish traffic initiated by legitimate users from traffic initiated by DDoS attackers. Various statistical analysis based solutions have been proposed for detecting and preventing DDoS attacks at the physical layer to application level services.
Most existing DDoS detection and prevention systems, also referred to as DDoS mitigation systems, work as in-line filters between client devices and a protected device/server, wherein these DDoS mitigation systems monitor the traffic between the client devices (some of which might be controlled by one or more attackers (e.g., a zombie) and some of which represent legitimate client devices) and the protected device, and blocks traffic directed to the protected device based on some predefined or dynamically calculated adaptive threshold of allowed traffic volume. These DDoS mitigation systems therefore block traffic directed to the protected device when the threshold of allowed traffic volume is reached. As distinguishing between traffic originating from a legitimate user and traffic originating from an attacker/zombie is not always possible, existing DDoS mitigation systems block the traffic from the legitimate user as well as that from the attacker/zombie when the traffic volume reaches the predefined threshold. This is a coarse approach, which unnecessarily blocks traffic even when the protected device has resources to manage further incoming traffic. In most of the cases, traffic volume reaching a particular defined threshold does not necessarily mean that the protected device would not be able to handle traffic that slightly exceeds the defined threshold.
Many existing DDoS mitigation systems rely heavily on the number of active connections maintained by the protected device to determine whether a new connection request or service request or traffic directed to the protected device should be forwarded to the protected device. In some cases, the threshold for the number of active connections or traffic volume, based on which these DDoS mitigation systems make their decisions to allow further connections or traffic volume is configured conservatively. That is, the threshold is set much lower than the actual number of active connection or actual traffic volume that the protected device can manage to serve. For example, if a protected device can serve 2,000 active connections or can receive 2,000 requests per second, existing DDoS mitigation systems might be configured not to allow more than 1,000 active connections or 1,000 requests per second. Once the threshold of 1,000 active connections or 1,000 requests within a second is met, such a DDoS mitigation system blocks all subsequent connection requests even if the protected device still has enough resources to serve some more connections. In such cases, even the traffic originating from the legitimate users is denied because the DDoS mitigation system does not allow any traffic to be directed to the protected device. Such approaches by existing DDoS mitigation systems therefore minimize optimal utilization of protected devices or protected network resources and result in access to the protected resource being denied to both malicious sources and legitimate users.
Therefore, there exists a need for systems and methods that can be implemented in, for instance, DoS mitigation devices to mitigate DDoS attacks, and at the same time allow optimal utilization of the computing resources of protected network device(s).