Communications between digital processing devices can be inhibited by attacks upon the digital devices themselves or a network that the devices use for communication. One type of attack, a denial-of-service (DoS) attack, can make a resource unavailable to users by overloading the resource with traffic or requests. For example, a DoS attack can target a web-server so that the web-server cannot serve web pages. A DoS attack can also flood a network with traffic so that the network is too busy to serve legitimate traffic.
One goal in combating a DoS attack is to distinguish between authorized and unauthorized traffic. Authorized traffic is allowed to reach its target, while unauthorized traffic is dropped, rate-limited, or otherwise not allowed to successfully reach its target. One method of preventing some DoS attacks is to use a network to act as a first-level firewall that discriminates between legitimate traffic and potentially malicious traffic. A client can route its traffic through a node in the network and onto its intended target (e.g., a web-server), which is at a location unknown to the client and to possible attackers. Because the location of the target is unknown, it is more difficult for attackers to inhibit communications with the target.
Prior systems depend on the inability of an attacker to discover connectivity information for a given client and the infrastructure used by that client (e.g., which node a client is using to route traffic). This makes prior systems susceptible to a variety of attacks. For example, attackers can possess real-time knowledge of the specific node a client is routing traffic through, or can attack nodes using a time-based scheme that tries to increase the impact of the attack on clients' connectivity.
In targeted attacks, for example, an attacker that has knowledge of a client's communication parameters can follow the client's connections and bring down the nodes that the client tries to connect to. As soon as the client realizes that the node is unresponsive and switches to a new node, the attacker can direct the attack to this new node. Thus, an attacker that can bring down a single node can create a targeted-DoS attack for specific clients.
Other attacks can exploit information that was intended only to be available to trusted components of the system, but which an attacker can feasibly gain access to, are also possible against prior systems. For example, in sweeping attacks the attacker can use its power to attack a small percentage of the nodes of a network at a time. This type of attack can target an application-level state (e.g., application information used for determining a future action) maintained by the node responsible for a client. Destroying this state can force the client to reestablish both network and application-level connectivity, can degrade the client's connection and can lead to DoS for time-critical or latency-dependent applications. Thus, although network firewalls can help in inhibiting some attacks, they remain vulnerable to a range of debilitating attacks.
Additional DoS attacks, such as exhaustion attacks (e.g., CPU-exhaustion and memory-exhaustion attacks) and IP-spoofing attacks can also successfully attack prior systems. In exhaustion attacks an attacker can overload and, thus exhaust, a component of a system so that it cannot function. In an IP-spoofing attack, an attacker can gain unauthorized access to a computer or a network by making it appear that a message has come from a trusted machine.
Accordingly, it is desirable to provide systems and methods for inhibiting attacks with a multi-path network.