Networks are increasingly coming under attacks from malicious applications, services, or users. To alleviate these attacks and minimize the effects of their propagation, a variety of techniques have been developed that permit nodes of a network to communicate with one another for purposes of determining when the network believes it is under attack.
One technique relies on a detector at a network node to determine locally, based on collected evidence, whether given events occurring within the network node are consistent with an attack. If such a situation is detected, then the network address associated with the alleged attacker can be blocked. The technique executes when an Internet Protocol (IP) address attempts a connection with the network node. It is somewhat expensive in terms of processing and memory because each unique IP address has to be managed and each connection or each failed connection attempt has to be managed.
Another technique modifies the first technique by using a mechanism to maintain a counter that is incremented on attempted connections to the network node and decremented when a connection is successfully acknowledged. This can help ensure that a given IP address stays below a given threshold of allowable connection attempts to the network node. However, response by throttling or quarantining of network nodes, with this particular heuristic approach, can cause a meltdown of the network because of the approach's false positive rate.