In a Denial-of-Service (DoS) attack, an attacker bombards a victim network or server with a large volume of message traffic. Handling this traffic consumes the victim's available bandwidth, CPU capacity, or other critical system resources, and eventually brings the victim to a situation in which it is unable to serve its legitimate clients. Distributed DoS (DDoS) attacks can be even more damaging, as they involve creating artificial network traffic from multiple sources simultaneously. In a “conventional” massive-bandwidth attack, the source of the attack may be traced with the help of statistical analysis of the source Internet Protocol (IP) addresses of incoming packets. The victim can subsequently filter out any traffic originating from the suspect IP addresses, and can use the evidence to take legal action against the attacker.
U.S. Patent Application Publication 2005/0166049, whose disclosure is incorporated herein by reference, describes a method for resisting a “zombie attack.” A zombie attack is a type of DDoS attack in which an attacker attempts to control a large number of servers on the Internet by using “worms,” which are malicious programs that self-replicate across the Internet by exploiting security flaws in widely-used services. After taking control of a computer, a worm often uses the computer to participate in a DDoS attack, without any knowing collaboration on the part of the computer user. Infected computers that participate in this sort of mass malicious activity are referred to as “zombies.” To deal with zombie attacks, a network guard system challenges sources of incoming message traffic to determine whether the sources comply fully with higher-level communication protocols, such as Hypertext Transfer Protocol (HTTP) (including features of HyperText Markup Language [HTML]) or Domain Name System (DNS), which operate above the transport layer (typically Transmission Control Protocol [TCP] or User Datagram Protocol [UDP]). Failure of a computer at a given source IP address to comply with the higher-level protocol indicates that the source may be a zombie, and incoming messages from this source are therefore blocked.