A denial of service (DoS) attack is a well known problem that can significantly disrupt the operation and performance of network resources. In a typical denial of service attack, a malicious user of the network sends a large number of message frames to a network device within a short period of time in order to “flood” a network with useless data traffic and thereby occupy the resources of responding systems. In particular, servicing the large number of message frames usurps a significant amount of the responding system's processing resources and capabilities, thereby preventing the responding systems from servicing message frames from legitimate users for at least a finite period of time. Indeed, in some circumstances, denial of service attacks have been known to cause network devices to temporarily “crash” such that no message frames can be properly serviced, even those received from legitimate users, for a substantial period of time. Thus, denial of service attacks generally encompass various scenarios in which malicious users attempt to keep a responding system busy processing large number of requests in order to prevent the responding system from serving legitimate users. For example, the characteristics of various known types of denial of service attacks are summarized below.
Smurf Flood Attack:
In a typical Smurf Flood Attack, malicious users send a large number of Internet Control Message Protocol (ICMP) echo or ping traffic to a subnet broadcast address with a spoofed return address from a victim's source address. If the hosts in that subnet receive the ICMP echo request, the hosts will reply with an echo reply to the victim's address spoofed in the ICMP echo or ping traffic. When that subnet has a large number of hosts that could potentially reply to each packet, the victim will quickly become overwhelmed with incoming traffic and likely lose network connectivity.
TCP SYN Flood Attack:
In a typical TCP SYN Flood Attack, malicious users take advantage of flaws in the Transmission Control Protocol (TCP) three-way handshake process. In particular, malicious users generally provide connection requests that include packets with unreachable source Internet Protocol (IP) addresses to a victim's server. The victim's server therefore cannot complete the connection requests with the unreachable source IP address and thereby wastes network resources. As such, a comparatively small number of illegitimate packets can occupy large amounts of memory, computational, and application resources, thereby shutting down the server.
UDP Flood Attack:
The User Datagram Protocol (UDP) provides a connectionless protocol that typically does not require any setup procedures to establish a connection for transferring data. Thus, in a typical UDP Flood Attack, malicious users send UDP packets to random ports on a victim's server. When the UDP packet is received, the victim's server then identifies the application waiting on the destination port. Thus, in response to determining that there is no application waiting on the destination port, the victim's system generates an ICMP packet to a forged source address that identifies an unreachable destination. If enough UDP packets are delivered to the random ports on the victim's server, the server will typically crash.
Ping to Death Attack:
In a typical Ping to Death Attack, malicious users create IP packets that exceed the maximum allowable size for IP datagrams (i.e., 65,535 bytes). Thus, when the ICMP packets are reassembled at the destination, a large number of small fragmented ICMP packets that exceed the maximum allowable size for IP datagrams will result, which can cause the victim's system to crash, hang, or reboot.
Chargen Attack:
The Chargen Attack has similar characteristics to the UDP Flood Attack, wherein malicious users send forged UDP echo packets to UDP port 19 (chargen) on an intermediary system's. In response to receiving the packets on the chargen service port, the intermediary system then generates a response that includes a character string to the victim's system. The victim's system then receives the packets on the echo service port and generates a response to the chargen service system that includes an echo of the character string. Once this loop begins, bandwidth between the victim's system and the intermediary system can quickly become exhausted.
Tiny Fragment Attack:
In a typical Tiny Fragment Attack, malicious users exploit characteristics of many IP implementations that permit an unusually small fragment size to be imposed on outgoing packets. Thus, the malicious users create small fragments to force information from a TCP header into subsequent fragments. For example, a first fragment may only contain eight data octets (i.e., the minimum fragment size), which is sufficient to contain the source port number and destination port number in TCP. However, the small amount of data in the first fragment forces the TCP flags field into subsequent fragments, whereby filters that attempt to drop connection requests will be unable to test the flags in the first octet and consequently ignore the flags in the subsequent fragments. Although having a router enforce rules that govern a minimum size for the first fragment can prevent this type of attack (e.g., requiring the first fragment to be large enough to ensure that the first fragment contains all of the necessary header information), this approach may unnecessarily result in the router dropping small fragments that originate from legitimate sources.
Teardrop Attack:
In a typical Teardrop Attack, malicious users attempt to cause the victim's system to hang, crash, reboot, or otherwise fail in a similar manner as in a Ping to Death Attack. However, in the Teardrop Attack, malicious users employ UDP in order to exploit weaknesses in the IP reassembly process. In particular, the malicious users overlap offset fields in a manner that prevents proper reassembly for multiple fragments, which can cause the victim's system to crash, hang, reboot, or otherwise fail.
Land Attack:
In a typical Land Attack, malicious users simply send a forged packet that includes a source IP address and an identical destination IP address. As a result, the identical source IP address and destination IP address can confuse the victim's system and cause the victim's to crash, hang, reboot, or otherwise fail.
WinNuke Attack:
In a typical WinNuke Attack, malicious users send out of band data to a particular port on a Windows machine known to cause the victim's system to crash.
Overlapping Fragment Attack:
The Overlapping Fragment Attack has similar characteristics to the Teardrop Attack in that malicious users employ overlapping fragments. However, rather than causing the victim's system to hang, crash, reboot, or otherwise fail, the Overlapping Fragment Attack employs overlapping fragments to bypass a victim's firewall and gain access to systems that the firewall would otherwise protect. In particular, malicious users overwrite part of the TCP header information in a first fragment, which contains data that is permitted to pass through the firewall, with malicious data then appearing in subsequent fragments. For example, one common technique includes overwriting the destination port number in the TCP header to change the service identified therein (e.g., overwriting port 80 identifying a Hypertext Transfer Protocol service with port 23 identifying a Telnet service, which would not be allowed to pass through the firewall under normal circumstances).
Unnamed Attack:
The Unnamed Attack employs similar characteristics to the Teardrop Attack in an attempt to cause a denial of service in the victim's host. However, rather than employing overlapping fragments, the Unnamed Attack instead assembles fragments in a particular manner that creates a gap between the fragments. Specifically, malicious users manipulate an offset value to ensure that parts of the fragments will be skipped, which tends to cause unreliable operating system behavior.
Accordingly, denial of service attacks can be quite costly, especially for network devices that sell products or otherwise generate revenue during operation. In this regard, even if a denial of service causes a network device to crash for only a small amount of time, the lost revenue resulting from the period of inoperativeness can be quite extensive. Although various techniques have been developed for protecting against denial of service attacks, many of the conventional techniques used to protect against denial of service attacks have vulnerabilities that malicious users can exploit in order to successfully launch a denial of service attack. For example, some network devices maintain a list of authorized user identifiers (e.g., a user's IP address or password). Prior to servicing a particular message frame, the device locates the user identifier within the frame and compares the user identifier to a list of stored user identifiers. If a match exists for the user identifier found within the message frame, the device authenticates the message (i.e., validates the message as being from an authorized user), whereas the device discards the message frame without further processing if no match exists. Thus, the device does not significantly process unauthenticated message frames.
Although the foregoing techniques have been somewhat successful in reducing the number and frequency of successful denial of service attacks, malicious users can discover a valid user identifier and thereafter use the misappropriated user identifier to successfully launch an attack against a network device. In this regard, malicious users could use the misappropriated user identifier to spoof the device such the message frames sent by the malicious users are authenticated. In such a situation, the malicious users may successfully launch a spoofed attack even if the network device utilizes user identifier checking to protect against unauthorized access. Although encrypting the user identifier can help to prevent discovery by malicious users, subsequently decrypting user identifiers in message frames tends to require a network device to save a state of the message frame and perform various processes to recover the encrypted user identifier. Thus, the network device could still be susceptible to denial of service attacks because malicious users could transmit enough message frames to keep the network device busy decrypting user identifiers within invalid message frames. Thus, while the network device is occupied decrypting the user identifiers, the network device may be unable to receive and process message frames from authorized users. As a result, user identifiers that are used to protect against denial of service attacks are normally unencrypted, making it easier for malicious users to discover valid user identifiers.
Moreover, techniques for attacking networks using denial of service attacks continue to evolve in a manner that bypasses traditional techniques for preventing such attacks. For example, distributed denial of service (DDoS) attacks have emerged as a sophisticated method for launching denial of service attacks. Distributed denial of service attacks have several characteristics, including the ability to hide the identity of the adversary, identify a legitimate computer as ostensibly initiating the attack, and employ multiple computers that could be located anywhere in the world. In order to counterfeit a legitimate user, malicious users need to hack into a target system and install a latent program that will subsequently initiate the attack against the target system. For example, the malicious user may attack a number of target systems and arrange for a worm or virus program to launch a distributed denial of service attack at a particular time (e.g., if a computer stays connected to a network overnight, the latent program may launch at night and run the attack for a few hours, such that a user arriving the next day would be unaware of the attack that occurred the night before).
One reason leading to the emergence of distributed denial of service attacks relates to the fact that TCP/IP protocols were generally designed with minimal or no security. There are a tremendous number of unsecured computers on the Internet with that have fast network connections, yet existing techniques for protecting network devices from distributed denial of service attacks have not produced a technical silver bullet for preventing this attack. Thus, as new techniques for launching denial of service attacks are continually increasing in their sophistication and complexity, existing systems and techniques tend to fall short in adequately protecting network resources against denial of service attacks.