The present invention relates generally to data processing systems and, more particularly, to systems and methods for filtering network traffic based on attacks.
The Internet consists of multiple interconnected networks that transfer data between a large number of devices, such as servers and clients. Routers are used to transfer the data in packets over communication links that connect the routers, clients, and servers.
Protocols specify how each device in the network interoperates with other devices. For example, the Internet Protocol (IP) specifies the format for packets. Routing protocols are used in routers to select paths through the network. Other protocols specify the manner in which a client requests information from a server, and the manner in which the server returns the requested information to the client.
FIG. 1 illustrates clients and servers exchanging packets. The exchanges are shown using broken line arrows. In FIG. 1, a client connected to router C exchanges packets with a client connected to router A and a server connected to router D. Exchanging packets directly between clients is known as peer-to-peer networking. Packets may also be transferred directly between servers, illustrated in FIG. 1 by the server connected to router D exchanging packets with the server connected to router B. Server-to-server communication may occur, for example, when one server needs information from another server to respond to a client request.
Devices on the network often communicate freely with one another. For example, in FIG. 1 servers and clients communicate freely with each other. Sometimes, however, networks restrict access in certain ways. For example, a corporate network may limit network access to only employees of that corporation and customers. Although certain areas of a corporate network may be accessed by employees and customers, other certain areas may be limited to access by employees only.
Routers may be used to limit certain traffic flowing through the router. In some cases, for example, routers are configured to only forward packets that have particular characteristics, such as certain source and destination addresses from a list of permitted addresses.
One way to limit access to a particular group of users is a virtual private network (VPN). A VPN uses services provided by a public network, such as an Internet Service Provider (ISP), to connect particular users to one another, such as employees of a corporation. A VPN often makes use of a firewall between all or part of the VPN and the public network. The firewall filters traffic to ensure that traffic entering the VPN is traffic from another site of the same corporation, or from authorized users, such as customers, suppliers, and corporate partners.
Servers in the VPN handle requests from clients in the VPN. The rate of requests to the servers can be quite significant, and generally enough servers are deployed to fulfill the requests. There is usually even a substantial extra capacity for peak times when the rate of requests increase. Every server, however, has a limit as to the rate it can respond to requests for services. If requests arrive too rapidly, service may be adversely affected if the servers cannot keep up with the rate of requests. Similarly, a given router, and a given communications link, also has a capacity limit.
Networks are under almost constant attacks by malicious users who wish to disrupt the network. One of the most common forms of attacks is a denial of service (DOS) attack in which a large number of request packets are sent to a server at a high rate and the server cannot keep up with the requests. Ultimately, the server is so overloaded that adequate service to legitimate clients is denied.
One common way to perform such an attack is to carry out a distributed denial of service (DDOS) attack. In a DDOS attack, multiple distributed systems are used in coordination to overload a server. In one form of DDOS attack, a computer virus or worm is used to configure multiple distributed computer systems to carry out the attack. The computer systems are usually innocent and are being used by someone to unwittingly carry out the attack. For example, multiple computer systems at a university may be configured over a network to simultaneously begin transmitting a large volume of traffic (e.g., malicious packets) at a high rate to the same server. This results in a very large traffic load on the server and sometimes also on communications links used to access the server.
FIG. 2 illustrates a DDOS attack on a server. The firewall in FIG. 2 is implemented physically separate from the server, sitting between the server and a network router. In this implementation, the firewall receives network traffic from the router, filters the network traffic for attacks, and forwards acceptable traffic to the server.
Although the firewall illustrated in FIG. 2 is implemented physically separate from the server, some firewalls run directly on the server. A firewall running on a server operates in essentially the same manner as a physically separate firewall—examining incoming traffic and determining whether the traffic should be allowed to enter.
In FIG. 2, each malicious user has been configured to simultaneously bombard the server with malicious packets in an attempt to flood the server. In the attack is successful, the server will receive more requests than it can handle. This results in some combination of failure of the server, severe congestion on communications resources, such as links or routers in the network, or seriously disrupted service to legitimate users.
The firewall is used to detect the attacks. Upon detecting an attack, the firewall attempts to identify the malicious packets and drop them. Conventional firewalls are often implemented in software, but may be implemented in hardware, or both software and hardware. The firewall typically performs stateful filtering, which means that the firewall maintains state information related to recent requests for service sent to a server. Keeping track of recent requests to a server is necessary to detect attacks. In a DOS attack, for example, any one request might be valid when considered alone, but when multiple requests are considered together a malicious attack might be identified. When multiple requests come in from the same source, for example, the server may determine that the source is taking part in the attack and discard future requests for information from the source.
Although FIG. 2 illustrates using a firewall to detect an attack on a server, the firewall may also be used to detect an attack on any entity, such as a VPN. In this case, the firewall may be used to prevent unauthorized or malicious users from accessing the corporate network by discarding inappropriate packets at the firewall.
Note that, in general, detecting an attack needs to occur at one place since each malicious user participating in the attack might be sending few enough packets that it is not obvious that those packets are part of an attack. This has led to solutions where detection and defense against attacks occurs in one device. In other words, the discarding of the malicious packets occurs at the same device that detected the attack.
The malicious packets arriving at a single location creates other problems in addition to overloading the server. In many cases the link from the local router to the server and/or firewall will be sized just large enough to handle legitimate traffic expected by the server. The link from the router to the firewall may itself become so congested that service is denied. Thus, even if malicious packets are successfully discarded at the firewall, the loss of bandwidth on the link between the router and the server or firewall still represents a significant denial of service. Thus, even if the malicious packets are discarded before they reach the server in FIG. 2, the attack may nonetheless be successful, or at least partially successful. A sufficiently large attack may also congest other links in the communications network.
Another problem may arise because operation of the firewall consumes considerable resources. Thus, even after a firewall detects an attack, it still needs to spend some amount of CPU resources to discard each malicious packet. This problem is more of an issue when the firewall is running on the server, and is not as drastic in the physically separate firewall implementation illustrated in FIG. 2 because in the physically separate implementation the server itself does not consume its resources discarding packets. The firewall in FIG. 2, however, represents additional cost to the network. In addition, the network resources, including but not limited to the link from the local router to the firewall or server, need to carry the additional traffic, which therefore also represents wasted resources.
Thus, there is a need for adequately addressing attacks occurring in the network.