I. This invention relates to computer systems, in particular to network environments.
Organizations use networks such as local area networks or wide area networks to share information and capabilities among nodes and to allow users to communicate and exchange information. Such networks consist of numerous nodes connected by links. Each node may include networking equipment such as ports (also known as an interfaces), which translate signals between the formats used by links and those used by nodes. Nodes may connect to multiple links, and each node has one port for each link to which it connects. Each node may perform various functions; for example a node may at the same time run user applications and act as a network management console. A node may also be termed a host or a device, and may be a PC, workstation or laptop running a user application program, a router, an application gateway, a server, or any other device attached at some point in time to a network.
One method for allowing network nodes to communicate is the TCP/IP transport protocol. Modules on different nodes may use TCP/IP as a protocol to communicate with each other via a network. Every node connected to a network using TCP/IP has an internet protocol (xe2x80x9cIPxe2x80x9d) address, which consists of four numbers, each separated a period. This IP address may be used to name the node. Some nodes may have more than one IP address.
As network use and the complexity of networks increase, managing networks and diagnosing network problems become more difficult. One area of network management presenting difficulties is diagnosing and responding to network attacks. Modern computer networks are vulnerable to various types of attacks from within and without the network. For example, one category of attacks involves sending a flood of attack traffic to a device on a network; the flood of messages consumes network resources, prevents the network from being used for its intended purpose, and may cause equipment to overload or crash. To halt the attack the source of the attack traffic is detected and action may be taken; for example the source of the attack may be disconnected from network links allowing it to propagate hostile messages. When used herein, attack traffic may refer to any traffic which is sent to interrupt network operations or damage network equipment, processes or data. Attack traffic typically is purposefully sent but may also include traffic which is inadvertently sent which has similar resultsxe2x80x94for example, from an out of control process.
The source of attacks may be difficult to diagnose due to the nature of typical network architecture and due to subterfuge methods an attacking machine may use. While normally a network packet identifies the sender of the packet, a device sending hostile messages may disguise this through IP spoofing, where a false source IP address is inserted in sent packets. In addition, on a network having multiple gateways to other networks, it may not be readily apparent which of the multiple gateways is allowing a flood of hostile messages to enter the network.
Systems exist for collecting information about network traffic. For example, to determine the node which is the source of attack traffic (or the gateway allowing such traffic into a network, which in such a case may be considered a source) and the path or paths taken by such traffic, a human operator may access each link at a node receiving such traffic and analyze the incoming traffic using a sniffer. A sniffer is a device which may record network statistics at a node. The operator may identify which of the physical links attached to the node is receiving a certain type or amount of traffic and then move to the node on the other end of the identified link. The path or paths of traffic from the source of the traffic may be found by traversing the network from node to node, using the sniffer at each node in a path, until the source is reached. Such a diagnosis is slow and inaccurate. A similar analysis may be performed from a central console which may query remote nodes for information about the source of incoming traffic. Such a diagnosis is also slow and inaccurate, as it requires commands to nodes and responses from nodes to be transmitted across the network. The speed at which attacks occur and the speed at which such problems must be fixed makes such detection methods ineffective. A path taken by traffic may be described as the equipment traversed by traffic as the traffic crosses a network or networks (e.g., a series of nodes and links, or a series of sub-networks).
Diagnosing network attacks may thus require the distributed state of the network to be knownxe2x80x94e.g., what type of traffic is being received at which devices and through which ports, and the path or paths taken by the traffic. Certain information about the state of a network may only be gathered accurately and quickly at the individual nodes distributed throughout a networkxe2x80x94for example, the particular port receiving a certain type of attack traffic. Currently, gathering such information requires that an operator physically access individual nodes, e.g., by using a sniffer, or that a central console query remote nodes. Such methods are slow, inefficient and inaccurate. The time taken to perform current diagnosis operations results in inaccuracy, as the state of a network is determined over a period of time. Delays may also occur, if (as may happen during a network attack), data transmission over links is interrupted or halted. The state of a network is not always accurately viewed from one central point which has only indirect access to the state of remote network nodes. Evidence of the source of attack traffic exists with greater certainty nearer the source of the traffic.
Therefore there exists a need for a system and method allowing for the distributed state of a network, such as information about attack traffic, to be quickly and accurately collected. A system and method are needed for quickly and accurately diagnosing network attacks by determining information such as the source of, or a partial path of, attack traffic.
A method and system are disclosed for analyzing traffic on a network by monitoring network traffic and, when a particular network condition (for example, a network attack) is detected, gathering information about the traffic on the network by launching an agent and having the agent iteratively identify which of the links on the node on which the agent operates accepts a type or class of traffic, traverse the identified link to the node across the link, and repeat the process.