In computer security, attempts to make a computer resource, for example a server, unavailable to its intended users are widely known. Such malicious communications, or attacks, are commonly named “denial-of-service attacks” (DoS attacks), or “distributed DoS” (DDoS), in which servers are forced to shut down or at least to slow down their performance.
This can be achieved by flooding the victims of the attack with a large amount of fake traffic in order to consume the server resources. The attacker plans to do DoS in order to prevent the system from normal work thereby stopping legitimate network traffic. Usually, an application server, like a Web and SIP (Session Initiation Protocol) server, faces the public, insecure, Internet. Then it is potentially victim to DoS.
Generally, even in an intranet scenario, a server could be the target of large volume of traffic, generated, for example, by viruses or misconfigured clients. In particular, a SIP server creates a large number of potential opportunities of DoS attacks that must be recognized and addressed by the telecommunication operators in order to provide the continuity of the services.
Among the different DoS type attacks, the application-level attacks are generally very difficult to be recognized.
In Next Generation Networks (NGNs), protocols as SIP, HTTP and Web Service are used heavily. NGN applications, and most of the added value services provided by telecommunication operators, are however liable to application-level DoS.
These attacks may have severe consequences for the users, which are not capable to obtain the services of interest, often leading to financial and productivity losses.
In recent years, several methods have been developed in order to protect individual servers or private sub-networks from DoS/DDoS attacks.
US 2001/0039623 discloses a detection system, method and apparatus that identifies and eradicates fraudulent requests on a network. Embodiments of the detection system comprise at least one router, a server and an activity monitoring system, which comprises a router arbiter and traffic analyzer, wherein the router arbiter monitors the activity on the router. The router arbiter continuously monitors the router and firewall device to determine if abnormal activity or traffic patterns are emerging. If a determination is made that abnormal activity or abnormal traffic patterns exist, the activity monitoring systems responds by blocking the activity or redirecting the traffic.
The traffic, legitimate or not legitimate, is thus all directed to a “black hole”, i.e., a computer that accepts network traffic but does not respond.
US patent application n. 2006/0050719 in the name of Riverhead Networks, Inc. describes a method for communicating which includes coupling a first port of a Layer-3 packet router to receive communication traffic from a network, the traffic including packets destined for a target address, which is accessible via a second port of the router. At the router, the packets that are destined for the target address are diverted to a traffic processor via a third port of the router. The diverted packets are processed in the traffic processor, and returning the processed packets to the router via the third port. At the router, the processed packets are conveyed from the third port to the second port for delivery to the target address.
This method needs the presence of several networks elements and the processing of all traffic packets.
International patent application WO 2006/004556 in the name of Agency for Science, Technology and Research, discloses a method of and a system for filtering data transmissions in a network for protection against malicious communications. The method comprises determining one or more apparent originating addresses sending communications to a first electronic address over a first path; instructing the determined apparent originating address to redirect future communications intended for the first electronic address to a second path; and filtering out communications sent from the determined apparent originating address to the first electronic address over the first path.
In the US patent application 2005/0044352 in the name of Riverhead Networks, Inc., a method for authenticating communication traffic is described, which includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is sent from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.
In order to verify the legitimacy of the first request, a guard system returns a DNS response to the source address containing encoded information, referred to as a “cookie”. A legitimate client will submit a new DNS request which will itself contain the cookie. The guard system intercepts this request and checks that it contains the proper cookie. If so, the guard system recognizes the IP address of the client as legitimate, and allows the client to access the DNS server.
A protocol that has been developed to support IP telephony is the Session Initiation Protocol (SIP). SIP is an ASCII-based, application-layer peer-to-peer protocol that can be used to establish, maintain, and terminate calls between two or more end points.
A lot of popular and large scale services will be provided with SIP, thus causing a lot of extra overhead to SIP application servers and networks.
US patent application n. 2003/0093462 relates to a method and apparatus for a distributed server tree where a main server identifies additional server elsewhere and create temporary source identifiers when the main server has a large load or where there are large numbers of users in a particular area or domain that the server is providing a service to. The main server transfers or redirects some users into these additional servers. The main server has thus a much smaller number of users. These other servers with the main server now form a distributed server tree that reduce loading on the main server and provides a more efficient service to the client.
Therefore, according to the described solution, a plurality of interconnected servers is needed in order to cope with the traffic load.