As the popularity and use of the Internet has grown, so has the potential for the spread of malicious programs, such as computer viruses. One such type of malicious program performs a denial of service a (DOS) attack. A DOS attack attempts to degrade performance of a server, website or the like through overutilization. A large number of requests are sent to the website which may overwhelm the website's ability to respond to requests and utilize the processing capabilities and bandwidth of the website to respond to the malicious requests. Furthermore, if such viruses infect a large enough group of computers, performance degradation may be seen over parts of or the entire Internet as communication bandwidth is tied up performing the malicious requests.
Recently, the Internet has experienced several DOS attacks from “zombie” computers controlled by the viruses creator(s) (i.e. hackers). A zombie computer is a computer which, unbeknownst to the computer's user, generates the requests for the DOS attack. The systems most likely to be added to a hacker's “zombie” stable, often by infection with a Trojan horse virus or worm virus injected by unfiltered email or web usage, are personal computers running consumer versions of Windows (e.g., 95, 98, Millennium), because of the unsophistication of their users and the large number of such systems. Fortunately, however, Microsoft's TCP/IP stack implementation on these consumer operating systems contained a restriction that prevented application software from spoofing the source IP address (SA) of transmissions (i.e. from using a source address of a transmission which was different from the IP address assigned to the system). This restriction made it relatively easy for the target of a DOS attack to identify the source of offending transmissions and establish router filters to block that address. Once identified, the system user/administrator could work with the ISP or enterprise owning the source address range to clean up the infected “zombie.”
In contrast, enterprise-class operating systems, such as Windows NT and 2000, Unix and Linux, implement the TCP/IP specification more accurately, making it possible for applications on these platforms to spoof source IP addresses in transmissions. However, Microsoft's Windows XP, a new consumer version, removes the earlier stack restriction and, hence, allows applications to spoof SAs. The release and proliferation of Windows XP is, therefore, expected to result in a large population of machines that, once infected with Trojan viruses, can easily become zombies capable of spoofing source IP addresses. The targets of DOS attacks will then find it difficult to block the transmissions (since they may appear to come from a large variety of SAs) or to identify and clean up the zombie machines (since machines that falsify their IP address are, typically, hard to track down).
As spoofed SAs have been used in previous DOS attacks (generally originating from Unix/Linux and NT machines), the industry has adopted a “best practice” of adding filters to endpoint (“leaf”) routers to prevent packets with forged subnet addresses from entering the Internet; i.e., the subnet of a source IP address must match the subnet from which the packet originates, or the router's filter will cause the packet to be discarded. When this practice is used, it enables identification of the subnet where an attack originates. The specific computer originating the attack can be identified if the proper monitoring equipment (e.g. network analyzers, sniffers) is deployed at the time of the attack and if the ISP/enterprise is willing to spend the money and time for the analysis.
Unfortunately, filtering for forged subnet address at leaf routers, typically, does not prevent spoofing of a forged address that has a valid subnet identification. A subnet often has a large pool of unassigned addresses that can easily be appropriated by hackers. Furthermore, filtering at the leaf routers may fail to cover network topologies where multiple routers and endpoints share a subnet.