A Denial of Service (DoS) attack is typically an attempt to make a network machine or network resource unavailable to intended users. Generally speaking, a DoS attack is an attempt to overwhelm the capacity of a server in order to interrupt or suspend functioning of network resources associated with the server. Traditional methods for detecting DoS attacks are typically based on monitoring incoming traffic and detecting the DoS attack based on an observation of a large increase in traffic, especially when a large portion of the traffic originates from a single IP address. In this case, mitigating the DoS attack includes filtering out the traffic identified as malicious.
A DDoS attack is a more aggressive action that involves multiple offensive devices performing an attack on a single target computer network or system. This attack may be performed in a coordinated manner by these multiple external devices to attack a specific resource of a service provider network. The targeted resource can be any networking device such as routers, Internet servers, electronic mail servers, DNS servers, etc. Examples of a DDoS attack include (but are not limited to): large quantities of raw traffic designed to overwhelm a resource or infrastructure; application specific traffic designed to overwhelm a particular service; traffic formatted to disrupt a host from normal processing; traffic reflected and/or amplified through legitimate hosts; traffic originating from compromised sources or from spoofed IP addresses; and pulsed attacks (which start/stop attacks). Further, it is to be understood DDoS attacks are typically categorized as: TCP Stack Flood Attacks (e.g., flood a certain aspect of a TCP connection process to keep the host from being able to respond to legitimate connections (which may also be spoofed)); Generic Flood Attacks (e.g., consists of a flood of traffic for one or more protocols or ports, which may be designed to appear like normal traffic which may also be spoofed)); Fragmentation Attacks (e.g., consists of a flood of TCP or UDP fragments sent to a victim to overwhelm the victim's ability to re-assemble data streams, thus severely reducing performance); Application Attacks (e.g., attacks designed to overwhelm components of specific applications); Connection Attacks (e.g., attacks that maintain a large number of either ½ open TCP connections or fully open idle connections); and Vulnerability Exploit Attacks (e.g., attacks designed to exploit a vulnerability in a victim's operating system).
DDoS attacks are notoriously difficult to defend against because a multitude of compromised systems are used to implement the attack. Typically, an attacker causes one compromised system (the DDoS “master”) to identify and infect numerous other systems (DDoS “bots” or “botnets”) to launch an attack against a single target. Like many other types of DoS attacks, the attacker can forge the source address of the flood packets originating from the bots without reducing the effectiveness of the attack. Determining and tracking the source of forged datagrams in destination-based routing systems is difficult given the premium on processing capacity to perform the packet diagnostics that are required to determine the source. In addition, investment in anti-DDoS technology leads to service providers becoming locked in to costly, proprietary solutions. Also, such proprietary solutions typically have a finite resource capacity, such as CPU capacity, bandwidth, etc. for mitigating DDOS attacks. When an attack against a protected network reaches the upper limit of available system resources, known attack mitigation solutions typically drop arbitrary network traffic without analysis. In other words, in this scenario, “good” traffic will be dropped along with the attack traffic, thus allowing the attack to succeed. As a result, service providers are unable to reliably and cost-effectively mitigate DDoS attacks.