1. Field of the Invention
The present invention relates generally to network communications, and in particular, to a system and method for server protection against network attacks from malicious clients.
2. Description of the Related Art
One of the major obstacles to Internet usage for business purposes is the targeting of web servers by malicious clients. Such clients are able to compromise the server by making unauthorized requests to servers via a network such as the Internet. Such requests may compromise site security and site operation efficiency.
In the case of unauthorized client requests or responses to a server, the server should preferably be enabled to identify and reject these requests. However, many security holes and weaknesses in typical server architectures, protocols and applications prevent the effective processing of these malicious requests.
One of the popular safeguards for preventing network attacks is a firewall. Firewalls are an important part of typical modern communication networks, in that they protect the resources of inner networks during communications with systems located in external networks. Firewalls can defend the inner network from many types of attacks.
An Application Level Gateway (ALG) represents a specific kind of firewall. An ALG operates at the application layer to process traffic through the firewall and can review not only the message traffic, but also message content.
One typical server attack occurs as follows: the server sends to a client, by HTTP protocol, an HTML page with fields for input, such as checkboxes, radio buttons etc. A malicious client will respond to the server with alternative information (e.g. sending an option that was not listed as one of the acceptable choices in the radio button, or by modifying a hidden field value). This information can disrupt normal server operation.
Few defense methods are known to deal with the above type of attack. One such method is described in U.S. Pat. No. 6,311,278, which is fully incorporated herein by reference. According to the '278 patent, the gateway (filter module) is positioned between the server and client. The gateway parses the server messages to identify commands, fields etc. The resulting data represents the set of allowable or authorized user actions and is stored in a protocol database.
When the gateway receives a request from the client, it queries the protocol database to determine whether the client request is permitted. The gateway eliminates any prohibited actions requested by the client to the server (i.e., actions not stored in the protocol database), and allows the remaining, allowable request to the server.
However, information in such a protocol database is not linked to definite HTML pages that are sent from a server to a client. Moreover, a client response allowed for one HTML page may be prohibited for another HTML page. For example, in the case where there are 10 allowable choices for radio button on a first HTML page, there may only 5 choices on a second, similar HTML page. In addition, the 5 choices for radio button on the second HTML page may be the same as 5 of the 10 allowable choices on a first page. Since these pages are similar in content, such a protocol database may not detect the difference in allowable choices, leading to incorrect verification of client responses to such pages. It is clear that this method poses limitations.
Furthermore, querying a large database can consume much time and many resources of a computer system, causing increased delays in communication between the server and client. Accordingly, the solution proposed in the '278 patent is not totally satisfactory.
Patent Application No. 01/31415 of WIPO (incorporated herein by reference) describes a method and system for verifying a client request. The method includes receiving a message including a set of actions or a program from a server, and simulating the execution of this client-side logic. As a result of this simulation, a list of allowable actions and allowable user input is defined. This list is then compared with the list of actual client actions and inputs. Only those actual client actions and inputs that are found on the list are considered to be authorized client requests, and are passed to the server.
The solution proposed by this method and system requires simulating the execution of client-side logic. This simulation produces processing delays and consumes considerable computer resources. Accordingly, the solution proposed in Patent Application 01/31415 is also not totally satisfactory.
There is thus a recognized need for, and it would be highly advantageous to have, an Application Level Gateway (ALG) that can accurately validate client responses to a server on a per message basis, and that does not require a costly simulation procedure.