Network infrastructures as well as customers of network service providers may be subject to any number of malicious attacks by hostile machines (attackers) designed to shutdown or damage network services. One common type of attack is a distributed denial of service (DDOS) or denial of service (DOS) attack. A DOS attack may encompass one of two common attack types. One type of a DOS attack involves an attacker sending a sufficiently large number of messages to a targeted IP address, such as a client of a network service provider. Another type of attack is more general in nature, and targets the core network of the network service provider, which, in turn, affects service to all clients of the service provider.
DOS attacks generally involve an attacker forging (spoofing) messages and sending the spoofed messages to a targeted destination. The targeted destination may be, for example, a router within the core network of the service provider or a customer of the service provider. With a sufficiently large number of spoofed messages, the targeted destination's services (e.g. phone and data services) may become clogged and rendered inoperable.
Many service providers offer to customers, in addition to network service, detection and mitigation service subscriptions to prevent interruptions in the customer's service due to malicious attacks. Detection services determine whether the subscribed customer or network core is experiencing a DOS attack. On the other hand, mitigation services separate good traffic from bad traffic and forwards the good traffic to the subscribed customers.
Detection service may be provided at the customer-end of the network, or in the core network of the service provider, such as at an incoming provider-edge (PE) router. Further, the detection service may be implemented as computer-readable medium or integrated as a part of the network architecture. At the customer-end of the network, detection service may employ an in-line tap and detector coupled to the service provider's network pathway. A tap may be, in one example, a passive splitter that siphons off a portion of the incoming traffic and directs the siphoned portion to a detector having a suitable bandwidth. The detector monitors the bandwidth usage of the service provider's network by the customer and, over time, determines if the bandwidth usage has increased beyond a certain threshold. This increased use may indicate a malicious attack is in progress. If the detector determines an attack is in progress, the traffic incoming to the customer is routed to a cleaning center. The cleaning center separates the bad traffic from the good traffic. The separation may be based upon information in the header portion of the incoming messages. The good traffic is then redirected to the customer, thus mitigating the malicious attack and minimizing downtime experienced by the customer due to the attack.
At the network core, detection service may employ monitoring tools for collecting information related to a trend in the bandwidth usage that extends beyond a certain threshold, which indicates a malicious attack. The monitoring tools may comprise a stand-alone hardware element incorporated into the network architecture or computer-readable medium installed on an existing hardware element. Once the threshold is met, the network service provider shuts down all network elements and pathways in the core network affected by the malicious attack. The shutdown prevents damage and other adverse consequences to components in the core network and related customer-end network elements. Once the monitoring tools determine the malicious attack has subsided, the service provider re-opens all network elements previously shutdown.
One deficiency of the aforementioned detection services on the customer-end is the cost and efficiency of providing detection services for each individual subscribing customer. Further, another deficiency of providing the aforementioned detection services on the front-end provider-edge of the core network is that an outage of network service to all customers occurs during the attack. Although a customer subscribes to detection and mitigation services offered by the network service provider, the service shutdown in response to the malicious attack may last about a few hours to a few days.
This background is provided as just that, background. The invention is defined by the claims below, and the listing of any problems or shortcomings of the prior art should not give rise to an inference that the invention is only to address these shortcomings.