1. Field of the Invention
The present invention relates generally to Internet security, and particularly to systems, program product, and methods of preventing and defeating network attacks, such as denial of service or other similar network attacks.
2. Description of Related Art
As more and more computer networks are linked to each other through open computer connections such as the Internet, computer network security has become increasingly more important. As such, when using a computer network, most computer users, including both home and business users, want to protect their computer systems from unauthorized accesses or to prevent their computers or computer networks from being disrupted. Current attempts to keep computer systems secure involve both hardware and software solutions. Hardware solutions have typically included filtering mechanisms which block access from users outside of a trusted computer user group and/or network. Software solutions have typically included monitoring network data, requiring/performing authentication, and monitoring network traffic to detect unauthorized intrusion and resource overload attempts. Notably, such strategies are exclusively defensive in nature.
Despite such efforts used to secure the computer network, the number of attacks on computer networks has continued to rise. Skillful attackers, e.g., hackers, continuously find ways to gain illegal access and/or cause disruption. As such, computer owners must continuously update their hardware and/or software in order to repel such attackers to thereby prevent the attacker from denying the computer owners access/use of resources, and/or preventing unauthorized use of such resources.
In order to reduce the probability of illegal access and/or disruption to a computer or computer network, system developers have created tools to test computer and/or network security. These tools include such things as vulnerability scans which identify potentially compromised ports, the revision levels of the software running on a system, etc. Developers may also simulate the actions of an unauthorized user to determine their system's potential vulnerabilities. It is assumed, or at least surmised, that the resulting test data provides sufficient information to allow the computer/computer network developer to locate potential network security loopholes/vulnerabilities within the computer/computer network. Computer/computer network administrators, or authorized third parties have taken to using these same tools for testing the integrity and/or vulnerability of their computer systems/networks. The methods or patches developed to close such security loopholes/vulnerabilities are typically disseminated to other computer or computer network owners, administrators, either through security service providers and/or various websites. Not all computer or computer network owners and administrators, however, stay vigilant in maintaining their systems in order to close any existing and/or newly discovered security loopholes.
Unfortunately, malicious individuals also have access to these same tools that can allow them to identify computers having potential vulnerabilities. Accordingly, such individuals can readily determine which computers/computer networks can be breached in order to gain access to the data and/or to take remote control of such computers. Such remotely controlled computers are often called “robot computers” or simply “bot” computers.
Gaining access to a computer system is not the only way malicious individuals are able to cause disruption to a computer or computer network. One methodology of disrupting the computer or computer network is called a denial of service attack (or more correctly, distributed denial of service attack) whereby multiple computers, typically geographically spaced apart, begin sending multiple service requests to a target computer or network to overwhelm the target computer or network, causing the target computer or network to be unable to continue to provide services to legitimate users.
Malicious individuals' who have taken remote control of a computer system may use it as a robot (i.e., “bot”) without the owner's knowledge and/or permission to attack a third party computer system and/or network. Combinations of these remotely controlled “bot” systems may be formed into networks (i.e., “botnets”) to increase the effectiveness of an attack on a third party system and/or network. One manner in which such bot networks have been utilized by malicious individuals has been to launch denial of service attacks on specific targeted computers and/or networks. Such has been accomplished by causing the bot controlled computers in the bot network to each generate multiple service requests to the specific target computer or computer network, thus, causing the target computer or network to be overwhelmed to a point of having to terminate providing services. The bot network typically consists of a relatively large number of remotely controlled (“hijacked”) computers. To establish the bot network, an attacker uses some type of malicious software code such as, for example, a Trojan horse application or other virus or worm, etc., to take control of a multitude of vulnerable computers.
An example of a broad spectrum, geographically distributed, denial of service attack occurred in Estonia beginning on Apr. 27, 2007, and lasted for months, effectively shutting down certain Estonian government computers. Such attack used multiple global bot networks, proxy servers located in third countries, and nonexistent or spoofed IP addresses. The initial attack was fairly unsophisticated; however, as the attack progressed, so did the level of sophistication. As Estonian authorities blocked major portions of the Internet, the attacks began shifting to other computers and other geographic locations, rendering the targeted computers unable to provide services to legitimate users. The Estonian government was kept constantly on the defensive as the attackers changed the resources used in mounting the attack over time. This example demonstrated critical weaknesses in a purely defensive security strategy with limited automated responses.
Accordingly, recognized by the inventor is the need for an offense strategy that can allow the protected computer or computer network to automatically overcome a denial of service attack, and continue to provide services to a substantial portion of the authorized users and/or legitimate customers. Also, recognized is the need for an automated way of identifying actual customer requests while blocking spoofed, nonexistent and/or bot service requests. Further, recognized by the inventor is the need for a system, program product, and methods that, during a denial of service type attack, can identify computers requesting service from the target computer or computer network that are not only potentially vulnerable, but proven vulnerable to being controlled, so that such bot controlled or bot controllable computers can be selectively blocked and/or targeted for shutdown in order to allow for the provision of continued service to authorized users and/or legitimate customers having computers which are not vulnerable to bot control. Also recognized is the need for a system, program product, and methods that can utilize secondary computers allied with the protected computer to perform the function of determining whether or not a service requesting computer is an authorized user and/or legitimate customer computer, to free up the resources of the protected computer. Also recognized is the need for a system, program product, and methods that can: recognize the existence of a denial of service attack embedded in communications from a plurality of IP addresses; initially block the plurality of IP addresses; call back each of the IP addresses to re-establish communications to thereby initiate an offense strategy (e.g., either submit an authentication request or initiate a virtual attack on the computer system associated with each IP addresses); determine whether or not the computer system associated with each of the IP addresses is vulnerable to malicious code; and for each computer system found to be vulnerable, restrict access to a protected computer system.