The present invention generally relates to computer security. More particularly, the present invention relates to an apparatus and method for detecting an originator of hostile traffic in a network.
There have been several attempts to identify originators of attack packets on the network. A network telescope provides the ability to see victims of certain kinds of denial of service attacks or hosts infected by worms, and misconfigurations from a distance. Tarpits have been deployed to waste resources of suspicious attack sources. Honeypots can help identify suspicious IP addresses.
A common technique is a honeypot mechanism and is defined broadly as a resource whose value lies in its unauthorized use. Simple honeypot mechanisms involve advertising dark address space (a set of internet protocol (IP) addresses that are not currently in use; i.e., associated with active machines) and identify originators of traffic to that space. The assumption is that such sources are suspicious. Some honeypots listen passively to such traffic. Neither the advertisements of dark prefixes nor the passive listening to incoming traffic is particularly expensive. Other honeypots interact with the traffic to varying degrees. Some respond with acknowledgements to the incoming messages or emulate a login session. At the other extreme, some honeypots may emulate a whole kernel. Depending on the degree of interaction more details about the attack traffic can be gathered. Public domain versions of honeypot code for popular operating systems have been available for different variants of probing attacks along with commercial software indicating the popularity of this technique for identifying probe traffic. The broad notion of honeypots has even been used to locate spam email originators although such honeypots need to have more infrastructure in place.
Since honeypots gather data at the destination of probing and other unwanted traffic, they are unable to locate the precise entry point of such traffic; additionally some of the source addresses may be spoofed. Traceback to the origination of such traffic is hard due to the delay and difficulty of maintaining state along the path of such traffic. Most importantly, the autonomous systems (ASes) in the path towards the destination are not aware that the advertised prefix is dark. Thus, the ASes in the path carry such traffic towards the destination and are unable to benefit from the knowledge that the originators of such traffic are potentially suspect. Finally, the AS at which such traffic originated cannot learn about the link responsible for injecting this traffic.
Therefore, there is a need in the art for a method and apparatus for detecting an originator of hostile traffic closer to an entry point of such traffic.