1. Field of the Invention
The present invention relates to the field of networking. More specifically, the present invention relates to network management techniques associated with fending off undesirable network traffic.
2. Background Information
With advances in integrated circuit, microprocessor, networking and communication technologies, increasing numbers of devices, in particular, digital computing devices, are being networked together. Devices are often first coupled to a local area network, such as an Ethernet based office/home network. In turn, local area networks are interconnected together through wide area networks, such as ATM networks, Frame Relays, and the like. Of particular interest is the TCP/IP based global inter-networks, Internet.
As a result of this trend of increased connectivity, increasing numbers of applications that are network dependent are being deployed. Examples of these network dependent applications include but are not limited to, email, net-based telephony, world wide web and various types of e-commerce. For these applications, success inherently means a high volume of desirable network traffic for their implementing servers. To ensure continuing success, quality of service through orderly and efficient handling of the large volume of desirable network traffic has become of paramount importance. Various subject matters, such as scalability, distributive deployment and caching of contents as well as regulating network traffic destined for a network node, have become of great interest to the artesian.
Unfortunately, success also may mean attracting undesirable network traffic designed to disrupt or completely shut down the services offered by the implementing servers. To ensure continuing success, the ability to fend off undesirable network traffic, also known as fending off denial of service (DoS) attacks, has also become of great importance. Various subject matters, including detection and filtering of packets with spoof source addresses, have too become of great interest to the artesian.
However, to-date, there is no known effective approach to detecting and filtering out packets with spoof source addresses. What is particularly difficult about detecting and filtering out packets with spoof source addresses is the fact that often times spoof instances are intermixed with non-spoof instances. For example, source address 128.128.128.16 may be an authentic source address, but it is also one of the spoof addresses employed by a denial of service attacker. As a result, while” most likely an overwhelming majority of the packets with this source address are spoof instances, there could still be a significant number of packets with this source address that are non-spoof instances.
Prior art spoof address detection and filtering techniques basically fall into two categories, (a) ingress filtering and (b) traceback schemes. Ingress filtering consists of checking the validity of source addresses as they enter a network. But, the approach is effective only at stopping spoofed packets near their sources. Moreover, the technique requires the valid source address range to be succinctly described to the filtering routers. Traceback schemes have recently been proposed in the literature to trace floods of traffic backward across networks. Examples of these proposed techniques include an earlier technique jointly proposed by the inventors of the present application and others to identify the source of attack packets through reconstruction of the routing paths from packets with partial routing path information, and a special message based technique currently under investigation by the Internet Engineering Task Force (IETF).
The former technique calls for the probabilistic marking of packets with partial routing path information by the victim. It is assumed from a moderate size sample of packets with partial routing path information, the source of the attack may be inferred (and accordingly packets with spoofed addresses may be recognized). For further details, see Practical Network Support for IP Traceback by Savage et al., Dept. of Computer Science and Engineering, University of Washington, Seattle, Wash., Technical Report UW-CSE-00-02-01. The later technique calls for the support of a new type of routing path message by routers, which are to broadcast these new special routing path messages randomly. Presumably, from a collection of these randomly broadcast routing path messages, one would also be able to infer the source of attack (thus implicitly recognizing the source addresses of the attack packets as spoof addresses). For further details, see IETF Internet-Drafts—ICMP Traceback Messages by S. M. Bellovin, March 2000.