The present application relates to a router chip and a method of selectively blocking network traffic in a router chip.
In today's internet communication networks, data packets are transmitted in data packets according to a specific networking protocol, such as the internet protocol (IP) known as IPv4 (Internet Protocol version 4) and IPv6 (Internet Protocol version 6) and the transmission control protocol (TCP). Both the IPv4 and the IPv6 correspond to a multi-layer networking protocol, which according to the OSI model comprises four layers. Transmission of the data packets occurs via so-called “router” apparatuses which have a plurality of network connections and forward a data packet, which is received on one of the network connections, to another network connection or to a plurality of network connections. This is accomplished on the basis of address information contained in the data packet and on the basis of routing information stored in a routing table of the router apparatus. For implementing these functions, a router apparatus is typically provided with a plurality of network interface circuits for receiving and transmitting data packets and a central processing unit (CPU) for performing the necessary processing of the data packets. The routing table and other processing data are stored in a memory of the router apparatus.
For implementing a router apparatus of the above-mentioned type, it is known to use router chips of the SOC type, in which at least the network interface circuits and the central processing unit are implemented on a single semiconductor chip. In these router chips, the embedded central processing unit has a computation power which is adapted to the necessary processing for routing the data packets.
In the above-mentioned internet communication networks of so-called Denial of Service attacks (DoS attacks) may occur, i.e. attacks using a lot of manipulated data packets (e.g. by a hacker) that cost a receiving host computation power to handle. A DoS attack can destroy the programming and the files in a computer system. Although a DoS attack is a type of security breach in a computer system that usually does not result in the theft of information or other security losses, DoS attacks can cost the target person or company time and money.
In the following, some common types of DoS attacks will be described.
A type of DoS attack in which a large number of TCP SYN packets (a TCP SYN packet is the first packet in a TCP/IP connection) are sent to a target, is referred to as a “SYN flood”. Usually, a source IP address of the data packets is spoofed. According to the three-way handshake of the TCP/IP networking protocol, the target system replies with the corresponding ACK packets and waits for the final packet of the TCP/IP three-way handshake. If the source IP address of the initial TCP SYN packet was spoofed, the target will never receive the final packet, leaving it to hold TCP/IP sessions open until they time out. A SYN flood causes so many open TCP/IP sessions that the target system cannot handle any more network traffic.
A type of DoS attack in which an attacker sends large quantities of so-called ICMP echo (ping) requests to an IP broadcast destination address with a spoofed source address is referred to as a “Smurf attack”. Most network hosts will respond with an echo reply causing a massive traffic jam.
An attack which involves sending very large ping packets to a victim system is referred to as a “Ping-of-Death” attack. When receiving a Ping-of-Death, the victim system will crash or hang because there is not enough memory to process the packet.
If an attacker puts a confusing offset value in the second or a later fragment of an IP data packet, this is referred to as a “Teardrop attack”. Due to the offset, the receiving system may crash.
If an attacker utilizes a spoofed data packet in which the SYN bit is set and the source/destination addresses match those of the target system, this is referred to as a “Land attack”.
If a range of IP addresses is scanned so as to show which IP addresses are in use and which ones are not, this is referred to as a “Ping Sweep”.
If an attacker sends massages to a target system with an IP address indicating that the massage is coming from a trusted host, this is referred to as “IP spoofing”.
A further type of DoS attack involves sending IP data packets with zero length and may be referred to as “Zero-Length attack”. That is to say, the length of a header in the data packet corresponds to the total length of the data packet. If in such a data packet a bit of the first fragment indicating whether the data packet comprises more fragments is manipulated and decoy packets are appended, the target system can be caused to assemble malicious packets.
A DoS attack which causes vulnerable systems to continuously bounce data packets and thereby tie up the CPU and network resources is referred to as a “Snork attack”.
Generally, all the above-mentioned types and other types of DoS attacks attempt to make a target system unavailable to its intended users. If multiple compromised systems flood the bandwidth or resources of a target system, this is referred to as a Distributed Denial of Service attack (DDoS attack).
In a router chip of the SOC type, the embedded CPU typically does not have the computation power to handle DoS or DDoS attacks. Therefore, a router apparatus using the router chip can easily become overwhelmed in a DoS or DDoS attack.