There exist two principal categories of denial of service attacks: logic attacks and flooding or rate-based attacks. Logic attacks exploit existing software flaws to crash or degrade performance. Rate-based attacks on the other hand, overwhelm the victim's CPU, memory, or network resources with a large number of spurious or crafted packets. These packets are either targeted to the victim or sent from the victim.
Routers and switches can perform some filtering functions to provide a certain level of protection. Such protection, however, is very coarse-grained, inflexible, and slow. To date, routers and switches cannot effectively limit traffic on a per-host or per-application basis. On the other hand, firewalls can filter in a sophisticated way, but since they need to perform additional analyses not specific to DOS protection, their performance is also limited.
To protect critical network servers or network segments from such attacks, solutions are available in the market with expensive intrusion prevention systems. Unfortunately, denial-of-service (DOS) and distributed denial-of-service (DDOS) attacks continue to incapacitate sites or network nodes not secured by these expensive intrusion prevention systems. Existing intrusion prevention systems suffer from false positives due to the use of attack signatures. In addition, to adopt a rate based approach, these systems would need provisioning for various thresholds of DOS attacks. This provisioning requires estimating rates for a number of thresholds, which could be a daunting task.
Therefore, there is a need and desire in the art for a viable and effective mechanism that identifies, detects, and prevents rate based attacks in various layers of network traffic. Such a mechanism must be able to separate legitimate traffic from spoofed traffic, must be able to identify culprits who are generating such rate based attacks, and must be able to block those attacks. It is particularly desirable that such a mechanism can prevent a network node from getting attacked or attacking others in the network in case it is infected. It is also desirable that the mechanism estimates the thresholds in a continuous and adaptive way, i.e., estimated based on past traffic during normal times, so that the user does not have to provision them.