1. Field of Invention
The embodiments of the invention relate in general to attacks in networking devices. More specifically, the embodiments of the invention relate to methods and systems for preventing Denial of Service (DOS) attacks in the networking devices.
2. Description of the Background Art
In the age of the Internet, one of the major problems in a computer network is security. Various attackers breach the security of computer networks by attacking the computer network. The attacks can either be through unauthorized access to the network, or by restricting the access of authorized users to the network. Denial of Service (DOS) attack is one such attack, which denies the network access to authorized users.
A DOS attack can be defined as a way of attacking a networking device by sending a high volume of requests over the computer network. A high volume of requests can slow down the performance of a networking device, so that it is unavailable for the users. An example of the networking device is a router. The attack is initiated by sending a request from an attacker to at least one of the computers in the computer network. The process of sending the request from the computer is termed as half-open session. The session is considered as established if the networking device detects a returning request from the computer.
Networking device allocates a finite amount of resources to establish half-open sessions. These resources include memory and a CPU processor. During DOS attack conditions, the attacker starts sending a high volume of requests (attack vectors) to the computer. However, the computer may not respond to these attack vectors. Consequently, a large number of half-open sessions are created. There is an idle timeout associated with each half-open session. Idle timeout is defined as the amount of time the networking device waits for the returning request before terminating the half-open sessions. However, the attacker sends the attack vectors at a rate that is faster than the rate at which the networking device can terminate them. In such situations, all the resources allocated for creating half-open sessions are consumed and any further connections with other clients are restricted. Hence, the networking device is no longer available for other clients.
Conventional approaches to prevention of DOS attacks include the use of a firewall to block requests from a potential attacker. The potential attacker is identified by monitoring the number of requests from a particular location. If the number of requests exceeds a threshold limit, the location is considered to be a potential attacker. Hence, any further requests coming from the location are blocked.
However, this approach has a few limitations. The potential attacker can continuously change its location. Hence, the identification and blocking has to be carried out each time the attacker changes its location. Further, in some situations, an authorized user may send a high volume of requests at a particular time. Therefore, according to the conventional approach, the authorized user may also get blocked.