Malicious attacks, such as Denial-of-service (DoS) attacks, attempt to make computer resources unavailable to their intended users. For example, a DoS attack against a web server often causes the hosted web pages to be unavailable. DoS attacks can cause significant service disruptions when limited resources need to be allocated to the attackers instead of to legitimate users. The attacking machines typically inflict damage by sending a large number of Internet Protocol (IP) packets across the Internet, directed to the target victim of the attack. For example, a DoS attack can comprise attempts to “flood” a network, thereby preventing legitimate network traffic, or to disrupt a server by sending more requests than the server can handle, thereby preventing access to one or more services.
A number of techniques have been proposed or suggested for defending against such malicious attacks. For example, U.S. patent application Ser. No. 11/197,842, entitled “Method and Apparatus for Defending Against Denial of Service Attacks in IP Networks by Target Victim Self-Identification and Control,” and U.S. patent application Ser. No. 11/197,841, entitled “Method and Apparatus for Defending Against Denial of Service Attacks in IP Networks Based on Specified Source/Destination IP Address Pairs,” disclose techniques for detecting and denouncing DoS attacks.
Systems that defend against such malicious attacks typically employ a detector associated with the customer network and a central filter in the network of the service provider to protect the customer network against malicious attacks. Generally, the detector will detect a malicious attack against the customer network and will send one or more denunciation or notification messages to the central filter. For example, upon determining that a malicious attack is being perpetrated on the customer network, the detector may transmit one or more source/destination IP address pairs to the central filter, which causes the service provider to limit the transmission of IP packets whose source IP address and destination IP address match those of any of the transmitted source/destination IP address pairs, thereby limiting (or eliminating) the malicious attack. The detector is typically located close to the customer network.
The malicious attack, however, typically leads to such heavy packet loss that the control messages from the central filter to the detector are likely to be lost or long delayed. In addition, the detector is likely to be busy and under a heavy load during a malicious attack. Existing systems that defend against such malicious attacks typically employ Transport Layer Security (TLS), Secure Socket Layer (SSL), a Secure Shell (SSH) or another Transmission Control Protocol (TCP) based protocols requiring an acknowledgement for sending control messages to the central filter. Such channels are typically sufficient, except during a malicious attack. During a malicious attack, the acknowledgement from the central filter may not be received by the detector, or may arrive at the detector at a time when the input buffers of the detector are overloaded. Generally, the detector cannot continue processing until all prior denunciation messages are properly acknowledged by the central filter.
A need therefore exists for methods and apparatus for reliably delivering control messages to the central filter during a malicious attack in one or more packet networks without requiring responses from the central filter to the detector.