1. Field of the Invention
The invention generally relates to information processing systems and more specifically to a mechanism for protecting a server computer system or a server in a server farm from denial of service attacks.
2. Description of the Background Art
Applicant's commonly-owned co-pending U.S. patent application Ser. No. 09/650,524 entitled “Method for Protecting Web Servers Against Various Forms of Denial-of-Service Attacks” is incorporated by reference herein in its entirety.
A denial of service attack (DOSA) is an assault on a network site that overwhelms the network with so many requests for service that regular traffic is either slowed or completely interrupted. DOSAs against well-known web sites, such as the FBI's site, have become a problem in recent years. Moreover, as the threat of terrorism becomes more acute, countermeasures against denial of service attacks present a daunting challenge to operators of web sites. These attacks can take several forms such as attacks based on ICMP (Internet Control Message Protocol) packets, UDP (user datagram protocol) packets, and TCP (transmission control protocol) packets. Many types of DOSAs and related terms are described below.
Also described below are some known countermeasures to shield servers and/or server farms against a DOSA. Unfortunately, the methods used today are DOSA-type specific and some of them can actually contribute to slowing down the server by expending too much of the server's time and resources in verifying connections. A method is needed which can handle various forms of DOSAs without tying up memory or processor time.
Definition of Terms
ACK
Acknowledgment of receipt of transmission, used in communications networks.
AES
Advanced Encryption Standard. A state-of-the-art encryption standard that is being developed by the NIST. It is expected to replace DES. See “Computer Desktop Encyclopedia,” 9th Edition, McGraw-Hill 2001 by Alan Freedman (hereafter “Freedman”)
CAM
Content Addressable Memory (CAM). Also known as “associative storage,” content addressable memory differs from RAM in the way values in memory are returned. A standard RAM returns the value stored at a particular address. A CAM returns a value based upon the contents of memory. CAMs can provide a performance advantage over RAMs since they can compare a desired value against an entire set of stored values simultaneously and return the address where the value is stored in a single clock cycle.
Denial of Service Attacks
A set of one or more packets that is sent to a web site or other site on the Internet for the purpose of “bogging down” or disabling the site. Denial of service attacks against the FBI web site and Yahoo and eBay have been in the news in recent years.
DES
Data Encryption Standard. A NIST-standard secret key cryptography method that uses a 56-bit key. DES is based on an IBM algorithm which was further developed by the U.S. National Security Agency. It uses the block cipher method which breaks the text into 64-bit blocks before encrypting them. There are several DES encryption modes. The most popular mode exclusive ORs each plaintext block with the previous encrypted block. DES decryption is very fast and widely used. The secret key may be used in more than one session. Or, a key can be randomly generated for each session, in which case the new key is transmitted to the recipient using a public key cryptography method such as RSA. See Freedman.
Firewall
A firewall is an information processing system that sits between the Internet and a server or between the Internet and an enterprise network to protect the server or the enterprise network from various forms of Internet-borne attacks.
Leaky Bucket
A mechanism used in certain networks to limit the influx of bursty traffic (data that arrives in spurts). The input traffic is temporarily stored in a buffer (the “bucket”) and then is output (“leaks”) at a steady rate. If the input rate exceeds the programmed rate for a certain amount of time, the buffer overflows and traffic is discarded.
NIST
National Institute of Standards & Technology, Washington, D.C. The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. See Freedman.
Ping Attacks
This is an attack in which the attacker attempts to “bog down” a site by sending it a stream of “ping” packets. A ping is an ICMP echo request packet. A network node is supposed to respond to an ICMP echo request with an ICMP echo response. A ping is normally used to determine if a host is up and if the path to and back from the host is working. But if an attacker sends large numbers of pings very rapidly, the host can get bogged down responding to pings, making it difficult for the host to provide service to legitimate users.
Random Early Drop
Random Early Drop is a defense against a TCP SYN (or SYN Flood) attack. When a new TCP SYN packet comes along, the TCP implementation in a server determines whether any free TCP control blocks are available. If so, the server allocates one to the new “partially established” connection. If not, it uses a TCP control block from an existing “partially established” TCP connection. Since “real” TCP connections will not normally stay in the “partially established” state for very long—because the third packet in the 3-way handshake will normally arrive “shortly” after the sending of the second packet in the 3-way handshake, the re-use of the “partially established” TCP connection's control block will usually not impact legitimate traffic but it will reclaim control blocks so that they can be used for legitimate TCP connections.
Rate Limiting
Rate limiting is a useful defense against some DOSAs. A mechanism in front of the server (or server farm) can protect a server/server farm from attacks that are not TCP-based by limiting the rate at which non-TCP packets are allowed into the server/server farm. Rate limiting can minimize the impact of attacks that are not TCP-based and since there is no reason that a typical web server should be receiving large volumes of non-TCP traffic, the rate limiting of non-TCP traffic does not affect any “real” traffic. (Note that it may be useful to allow (some) ICMP packets into a server farm to diagnose network problems, for example; but there is no reason why a web server farm should be subjected to ICMP packets at a rate of 10 gigabits/second, for example. This rate limiting can be done using what is known in the networking industry as a “leaky bucket.” But rate-limiting of TCP packets cannot be used as a defense against TCP-based attacks because the “real” traffic to a server farm (e.g. web traffic or mail traffic) is TCP-based, and thus such rate limiting would limit the flow of the “real” traffic as well as the “attack” traffic.
Rijndael Algorithm
Rijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen as a candidate algorithm for the AES. The cipher has a variable block length and key length. Keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192 or 256 bits (all nine combinations of key length and block length are possible) can be generated. Both block length and key length can be extended very easily to multiples of 32 bits. Rijndael can be implemented very efficiently on a wide range of processors or in special-purpose hardware. The Rijndael algorithm was selected by NIST as the base for AES.
Smurf Attacks
This is an attack in which the attacker sends “broadcast” ping packets to a large group of machines with a forged source address such that the source address in the packet is that of the “target” node, i.e., the machine that the attacker wants to disable. When the broadcast ping is received by the presumably large number of machines, they each respond to the ping by sending an echo reply to the address that was in the source address field in the broadcast ping packet. Since the source address is that of the target, the target gets swamped with large numbers of echo replies. The target throws these away but the load on the target and the load on the link connecting the target to the network is large and this load can bog down both the node and the link.
Spoofing
Faking the source address of a transmission.
SYN
A synchronization packet used in establishing a TCP connection.
SYN cookies (also known as TCP SYN cookies or TCP cookies)
A TCP SYN cookie is a mechanism for dealing with a SYN flood.
A TCP SYN flood (see SYN flood below) was generally considered to be an insoluble problem. See, for example, “Practical UNIX and Internet Security,” by Garfinkel and Spafford, page 778:                The recipient will be left with multiple half-open connections that are occupying limited resources. Usually, these connection requests have forged source addresses that specify nonexistent or unreachable hosts that cannot be contacted. Thus, there is also no way to trace the connections back. . . . There is little you can do in these situations . . . any finite limit can be exceeded.        
SYN cookies solve this problem using cryptographic techniques. A SYN cookie is a particular choice of an initial TCP sequence number by a TCP server that can be sent in a SYN-ACK. The particular choice of sequence number allows the server to                participate in the 3-way handshake without tying up any memory on the server; and        do this in such a way that an attacker cannot fake a legitimate third packet in the 3-way handshake.The sequence number can be a combination of the target server's IP address and port number and the source client's IP address and port number. The Rijndael algorithm can be employed to generate a hard-to-guess value so that an attacker cannot fake a third packet in the 3-way handshake.SYN Flood (Also Known as a TCP SYN Flood)        
A TCP SYN flood attack works as follows. The attacker sends a large number of TCP SYNs to the target. The attacker typically uses fake source addresses in these packets so that these packets cannot be easily traced back to the attacker. The attacker also typically uses a different source address in each packet to make it hard for the target to know that it is the subject of a TCP SYN attack. Each time a SYN is received, the target responds with the second packet in the 3-way handshake. It also allocates some “resources,” such as a TCP control block that will be used to keep track of what's going on in the TCP connection. If enough TCP SYNs come in, lots of resources get tied up. Those resources are not freed for some time because the target is expecting the third packet in the 3-way handshake but the third packet never arrives. The targets may eventually time-out these partial connections and free these resources but if enough resources get tied up, the target runs out of resources and is not able to respond to legitimate traffic.
TCP
TCP is the Transmission Control Protocol. TCP is used to provide a “reliable” connection between 2 nodes in an internet. TCP uses sequence numbers, checksums, acknowledgements (or ACKS) and retransmissions of lost or garbled data to provide reliability. TCP is used by applications in which it is important to deliver bytes correctly such as mail, web browsing, etc.
TCP ACK Flood
This is an attack in which the attacker sends a flood of TCP packets in which the ACK flag is set. The ACK flag is normally set to acknowledge the reception of ungarbled data but an attacker may set the ACK flag in a flood of packets in an attempt to make his packets appear to be part of an established and legitimate TCP connection so that the attack packets won't get filtered out by a firewall.
TCP Connection/Watching SYNs and FINs
A TCP connection has two “ends” where each is defined by an IP address and a TCP port number. A TCP connection is established in a 3-way handshake via an exchange of SYN and ACK packets and ended via a 3-way exchange of FIN (French for “end”) packets. If one keeps track of the SYN and FIN exchanges one can determine if a TCP packet is part of a legitimate TCP connection or if it is an attack packet from some attacker that ought to be discarded.
UDP
UDP is the User Datagram Protocol. The UDP doesn't provide sequence numbers, acknowledgements (ACKs), retransmissions or reliability. It is used by applications in which the “timeliness” of packet delivery is important and the retransmission of lost or garbled data is not important. IP telephony is an example in which the timeliness of packet delivery is important and the retransmission of lost or garbled packets is not useful.
UDP Flood
An attack in which the attacker sends large numbers of UDP packets. A UDP flood is similar to a ping attack.
Wire-speed
Wire speed is the ability to process packets as fast as they are received from the network.
3-way Handshake
A TCP connection is set up with a 3-way “handshake” that works as follows. The initiator sends a SYN packet that includes some “synchronizing” information. The server responds with a SYN packet that includes some synchronizing information of its own. The server's SYN packet also acknowledges (ACKs) the synchronizing information that was received from the initiator. The initiator ACKs the information in the server's SYN packet.
5-tuple
The 5 items of information that are found in a TCP packet that uniquely identify a particular TCP connection: the destination IP address, the source IP address, the protocol field that indicates that the IP packet includes a TCP segment, the TCP destination port and the TCP source port. Since the protocol field (which indicates TCP) does not necessarily need to be stored in a table of TCP connections, a table of TCP connections might store only the other 4 items (4-tuples).
There are many forms of denial of services attacks and there is a need for a countermeasure against DOSAs that overcomes the shortcomings of the prior art.