Identifying a distributed denial of service (DDoS) attack within a network and defending against such an attack

Abstract

The invention provides methods, apparatus and systems for detecting distributed denial of service (DDoS) attacks within the Internet by sampling packets at a point or points in Internet backbone connections to determine a packet metric parameter. The packet metric parameter which might comprise the volume of packets received is analysed over selected time intervals with respect to specified geographical locations in which the hosts transmitting the packets are located. The expected behaviour can be employed to identify traffic distortions revealing a DDoS attack. In a complementary aspect, the invention provides a method of authenticating packets at routers in order to elevate the QoS of authenticated packets. This method can be used to block or filter packets and can be used in conjunction with the DDoS attack detection system to defend against DDoS attacks within the Internet in a distributed manner.

Description

FIELD OF THE INVENTION [0001] The present invention is directed to identifying a distributed denial of service (DDoS) attack within a packet data network and defending against such an attack. More particularly, the present invention concerns identifying a DDoS attack against a target (victim) device, system and / or network connected to the Internet and to a method of mitigating the effects of such an attack on the target. BACKGROUND OF THE INVENTION [0002] A denial of service (DoS) attack is an explicit attempt by an attacker or attackers to prevent or impair the legitimate use of a host computer, a router, a server, a network or the like. Whilst such attacks can be launched from within a target network itself, the overwhelming majority of such attacks are launched from external systems and networks connected to the target via the Internet. Internet connected devices, systems and networks are today facing a rapidly expanding and real threat from DoS attacks. Such attacks not only dam...

AI Technical Summary

Benefits of technology

[0019] Therefore, the present invention provides methods, apparatus and systems of detecting DDoS attacks at suitable points within the Internet which mitigates and/or obviates disadvantages associated with known detection systems, particularly Intrusion Detection Systems including Internet Firewalls as presently available. The pres...

Problems solved by technology

Internet connected devices, systems and networks are today facing a rapidly expanding and real threat from DoS attacks.

Such attacks not only damage the intended target but threaten the stability of the Internet itself.

The motive for most DoS attacks still appears to be driven by a desire to “show-off”, express anger or seek revenge by computer hackers, for example, but evidence exists that DoS attacks are increasingly being used by cyber-criminals to blackmail enterprises drawing most of their revenues from on-line (Internet based) activities and the fear is that terrorists will use DoS attack as a means of disrupting good governance by governmental organisations.

This design freedom, which affords easy user participation in the Internet, provides opportunities for abuse such as DoS attacks.

Also, security in the Internet is highly interdependent.

Often these attacks were manually configured which limited their frequency and effectiveness and which could be readily defended against by source address packet filtering, for example.

Whereas with single source DoS attacks it was possible to trace the source of the attack where the packets contained the actual source address and to employ packet filtering, for example, to discard packets being received from that source, DDoS attacks are more malicious in that the number of subverted hosts sending useless packets towards the target may number in the tens of thousands and even hundreds of thousands and in that address spoofing masking the identities of the subverted hosts is also often employed.

Even if the sources of the useless packets can be identified, this may not assist the target in defending itself since the received packets may be from legitimate sources prompted to send packets towards the target as occurs in so called reflector or indirect DDoS attacks.

Blocking packets from these sources will also block packets from legitimate users.

Although detection of a DDoS attack allows the target to implement defences such as packet filtering, whilst it still has some available packet processing resources not overwhelmed b...

Images