Networks are constantly exposed to security exploits that are of significant concern to network providers. For example, Denial of Service (“DoS”) attacks can cause significant damage to networks and networked devices. A DoS attack is defined as an action taken upon on a computer network or system by an offensive external device that prevents any part of the network from functioning in accordance with its intended purpose. This attack may cause a loss of service to the users of the network and its network devices. For example, the loss of network services may be achieved by flooding the system to prevent the normal servicing for performing legitimate requests. The flooding may consume all of the available bandwidth of the targeted network or it may exhaust the computational resources of the targeted system.
A Distributed Denial of Service (“DDoS”) attack is a more aggressive action that involves multiple offensive devices performing an attack on a single target computer network or system. This attack may be performed in a coordinated manner by these multiple external devices to attack a specific resource of a service provider network. The targeted resource can be any networking device such as routers, Internet servers, electronic mail servers, Domain Name System (“DNS”) servers, etc. Examples of a DDoS attack include (but are not limited to): large quantities of raw traffic designed to overwhelm a resource or infrastructure; application specific traffic designed to overwhelm a particular service; traffic formatted to disrupt a host from normal processing; traffic reflected and/or amplified through legitimate hosts; traffic originating from compromised sources or from spoofed IP addresses; and pulsed attacks (which start/stop attacks).
Attack mitigation using mitigation parameters can be applied to thwart network security threats, pre-emptively or in reaction to a detected attack. However, when mitigation parameters are over aggressive, they can cause legitimate network traffic to be blocked. On the other hand, when such mitigation parameters are too lenient, security threats can be transmitted if portions of the network traffic are not mitigated that pose a security threat to the network. Since network security threats vary with time, mitigation parameters that are appropriate when first applied can eventually become over aggressive or too lenient.
Once one or more mitigation parameters are selected and applied, network security operators (NSOs) may be able to receive feedback on actual application of the mitigation parameters. An NSO may not realize that adjustment of mitigation parameters would be beneficial, until the NSO notices that too much, too little, or valid network traffic is actually being dropped, meaning risk of damage, or actual damage, has already been incurred. Even then, the NSO may use guess-work to adjust mitigations to apply. After some time, e.g., a few minutes, the NSO realizes that either an insufficient amount of traffic is being blocked in order to restore services or too much traffic is being blocked, after which the NSO may again adjust the mitigation parameters, which may be repeated until the NSO believes a proper balance has been reached.
Such conventional methods and systems have generally been considered satisfactory for their intended purpose. However, there is still a need in the art for providing an NSO with readily available and understandable information, including before an attack is detected or during a detected attack (e.g., in real time), about performance using alternative mitigation parameters relative to one another to reduce or minimize the risk of damage and guesswork involved in adjusting mitigation parameters. The present disclosure provides a solution for these problems.