In a network like the Internet, resources (e.g., pages of a website) may be requested by legitimate and malicious systems and persons alike. A distributed denial of service (DDOS) attack is an attempt to make resources of a network unavailable to legitimate users. A DDOS attack often involves multiple computers acting together to prevent a targeted website or service from functioning properly by having a group of multiple computers repeatedly request network resources of the website or service. This group of multiple computers is often referred to as a bot or botnet. A result of these repeated requests can be that a website or service has difficulty responding to legitimate requests due to an exhaustion of resources of a website's ability to serve content and, thus, the website or service is effectively unavailable to legitimate users.
Determining if a DDOS attack is underway can be an involved process. One approach involves analyzing network traffic using signature or heuristic-based detection to determine if the perceived behavior coming from various addresses is malicious. Network traffic samples from various sources are analyzed to determine if there is a DDOS attack against a destination IP. This process typically involves many sources of data and a high degree of human intervention and analysis.
Embodiments of the invention address these and other problems, individually and collectively.