In computing, firewalls are generally used to provide perimeter defenses. They are typically implemented on gateways located between one network (e.g. a public network such as the Internet) and another network (e.g. a private network such as a corporate intranet), and filter the traffic that is transmitted therebetween. A system firewall, on the other hand, filters the traffic that enters or exits an individual host, and can be used to protect the host—which may form a part of an intranet—against attacks originating from within the intranet or external attacks that have breached a perimeter firewall.
Both approaches have limitations. Floods (such as IP fragment floods and SYN floods) can comprise data packets that are not “unwanted”, and neither perimeter firewalls nor system firewalls will filter such floods effectively. The perimeter firewall cannot determine the capabilities and the current situation of the host. A server that has a low configuration or is heavily loaded can process fewer incoming packets than a server with a higher configuration or a significantly lesser load, so the filtering provided by a perimeter firewall may not be appropriate to such cases. If a flood is allowed past the perimeter firewall to be handled by the system firewall, host resources are wasted and—moreover—the local LAN subnet (which may constitute an intranet) may be flooded.
That is, perimeter firewalls do not always constrain traffic rates to levels that the host can handle. If excessive traffic reaches the host system, the host must devote considerable resources to handling that traffic, even if only to discard it. Thus, if packet rate is not controlled at the perimeter level, a packet flood will waste host system's resources.
Moreover certain type of flooding attacks (e.g. SYN attacks) that are targeted at Layer 4 protocols, such as the TCP modules of the stack, can be efficiently detected at Layer 4 level. Since most existing host-based or perimeter firewalls filter at IP level, floods are not effectively detected at that level. There is presently no optimal method of calculating the rate of SYN packet arrival at an IP-address/Port combination at the perimeter level.
A Controller and Agent model has been proposed to minimize DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks caused by the various kind of packet floods. A packet marking technique is used, and the attack traffic is blocked at the router nearest to the attacking system by establishing the attack signature for the attacking host.
Another proposed method uses the attack detection capabilities of an intrusion detection system (IDS) and Quality of Service (QoS) concepts to rate limit incoming packet flood attacks. Incoming network traffic is first analyzed by an IDS and the information is fed to a Rate limiting system Controller (RLS-controller). RLS-Controller analyzes the information and appropriately instructs the RLS-agents to do the rate limiting.
A system has also been proposed in which a network traffic evaluation device is used to warn of or prevent traffic abnormalities, such as denial of service attacks. The device includes a data interface to receive one or both of network traffic and data indicative of characteristics of network traffic. The network traffic and/or data received by the data interface is processed for predetermined characteristics and—upon detection of these predetermined characteristics—the network traffic may be redirected and/or blocked by a network device.
Another proposed monitor system for detecting attacks on a site in a communication network and for taking action to reduce or redirect such attacks reviews incoming data packets and sends directions to at least one router to change the data flow in the system. The data packets and the resulting work flow are modified for certain conditions, and for certain conditions within defined time slices, and action is taken when the monitored condition is contrary to expected conditions.
These proposed methods and systems endeavour to either completely filter or rate limit offending traffic. However, they do not attempt to improve the detection of offending traffic in a system-sensitive manner.