1. Field of the Invention
The present invention relates, in general, to network computing systems, and, more particularly, to software, systems and methods for providing services over a network that are resistant to denial of service attacks.
2. Relevant Background
Recently, DoS attacks have been blamed for bringing down several electronic commerce (e-commerce) web sites and government sites. These outages, although temporary, are enormously expensive to businesses such as retailers, business-to-business commerce sites, and securities brokerages, for example, where continuous availability and reliable performance underpin the value of the commerce site. These problems and the lack of solutions for DoS problems discourage existing and potential e-commerce providers from establishing and expanding their electronic commerce offerings.
A denial of service (DoS) attack is a type of security breach to a computer system in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is due to the inability of a particular network service, such as a web server or e-mail, to be available or the temporary loss of all network connectivity and services. A denial of service attack can also destroy programming and files in a computer system. Although usually thought of as an intentional and malicious act, a denial of service event can sometimes happen accidentally as a result of poor planning or a sudden large increase in volume directed to a network server. DoS attacks can cost the target person or company a great deal of time and money.
In a DoS attack, a large volume of requests are addressed to a particular shared resource such as a web site, database, mail server and the like. In the case of a malicious attack, the requests are generated by a “hacker” or “cracker”. The resource has a fixed ability to respond to requests, and, at some point, a large volume of requests will cause delays in servicing genuine requests. The web resource may actually crash in a worst case scenario. Even when a system is robust enough to avoid a crash, genuine requests simply cannot be segregated from the hacker-generated requests thereby slowing access for legitimate users.
A common form of a DoS attack sends more traffic to a network address than the server program or system operating at that network address can handle. Programs and the network interface routines that connect the program to the network use data buffers for a number of tasks. For example, transmission control protocol (TCP) layer software uses buffers to handle handshaking exchanges of messages used to establish a communication session. Each connection request consumes a portion of the finite memory space allotted to these buffers. A large number of connection requests received in a short period of time will consume the allotted memory space making the system unable to respond to legitimate requests and potentially causing the system to crash due to buffer overloads.
Currently, there are few effective ways to protect against denial of service attacks in the Internet. The Internet is designed to forward packets from a sender to a client quickly and robustly. Hence, it is difficult to detect and stop malicious requests once they are launched. Filtering of packets by Internet service providers (ISPs) can be effective to reduce attacks from forged source addresses, but is impractical to handle attacks from legitimate IP addresses. Moreover, ingress filtering requires upgrades to a large number of existing routers which will take many years to accomplish.
In practice, a web site owner or host responds to a DoS attack reactively. Once an attack is detected, packets are analyzed to determine the source address(es) of the attack. Upstream service providers are notified of the address ranges and the upstream network equipment, such as routers, are configured to block packets from the malicious addresses. The entire process can take several hours and sends the service providers, web site owner and web site hosts into upheaval. Moreover, the attack can begin again from another address almost as soon as the original attack is thwarted. DoS attacks are typically launched from a multitude of computers that are hijacked by the assailant. The computers selected for hijacking generally have a large connection to the Internet, enabling them to open a large number of TCP connections to the target. While it is possible to trace the instigator and take legal action, this remedy is difficult and leaves the network vulnerable. Hence, a need exists for systems, methods and software to inhibit and preferably prevent the effectiveness of DoS attacks. As the assailant's computer is rarely directly involved in the DoS attack, it is difficult to trace the origin of the attack, especially in time to be able to curtail the attack.