CA2390850C - System and method for the detection of and reaction to denial of service attacks - Google Patents
System and method for the detection of and reaction to denial of service attacks Download PDFInfo
- Publication number
- CA2390850C CA2390850C CA002390850A CA2390850A CA2390850C CA 2390850 C CA2390850 C CA 2390850C CA 002390850 A CA002390850 A CA 002390850A CA 2390850 A CA2390850 A CA 2390850A CA 2390850 C CA2390850 C CA 2390850C
- Authority
- CA
- Canada
- Prior art keywords
- service
- network
- denial
- challenge
- attacks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
Abstract
Challenge-response and probative methods together or independent of each other enable detection of devices participating in denial of service (DOS) and distributed DOS (DDOS) attacks upon a network resource, and upon identification of devices participating in attacks, minimize the effect of the attack and/or minimize the ability of the device to continue its attack by placing the attacking devices in a state of reduced or denied service.
Description
SYSTEM AND METHOD FOR THE DE'I'I:C"I'ION OF AND K1:ACTION TO
DENIAL Oh SERVICE ATTACItS
Backgrouitd ol' thc Tttventiou Technical Field of the Invention 'l'his invenlion relates to tnortitirrirtg and analyzing a communications rictwork lirr the purpose o1'delecting "hacker" attacks ancl computer terrorism, and to providing lor delense and countcratlaclc. More partieularly, llie invention relates to measuring and rnonitoring ol'netwnrk perfonnanee and throughput, including detecticm c-l'abnomnal conditions indicating presence of cotnputer hacker denial of servicc attacks und reaction to such attacks by a varicty crl"rncans of ciepriving required resources to the hacker.
Background Art Manag,crs uf intorniation systems for publi;: and private enterprises are required to provide ever increasiiig nctwork accesti to tl,eir inf6rrnation systems. As tiiusiness requirements ?(1 for connection to the Tnternet grow, systctn sccurity c.ortccrrrti inea-ease in lock stc.h.
!n implctnontaticros ctf infon-nation systenis prior ttp to the tnid-196Us, no retnote systetll access was possible. Data was fed into and out of computerti from consoles, carcl punches, a.nd c.v.rcl readers all of which wcre clirecl-cahle at.taclied into the cotnputer.
No one outside ot'the i':ND9-2000-0185 1 r r "glass house" (i.e., computer room) had access to the system. The art of data-communications network security did not exist. Security was a local issue enforced by password protection, so that without the proper password, access to the data processing application would be denied.
Password protection ensured that no changes could be made to the system or its contents by unauthorized parties.
Later in the 1960s, remote console and remote card read and punch system access became possible using permanent leased line or dial telephone facilities. A user of the system no longer needed to be physically present in the computer room in order to view or to modify information or programs stored in the system. In order to protect information systems from unwanted access and modification, either of which could damage or destroy a business or organization, new means of protection were devised.
For leased lines, security was ensured by identifying to the computer's operating system the specific communications port to which the leased line was connected. Since the communications port on the computer was telephone wired (by telco modem) directly to the phone company's switching station and thence through other switching stations to the modem and communications port of the console or card/read punch at the remote location, it was extremely difficult for someone to achieve unauthorized access to a computer through its communications port. Specifically, to breach the leased line security at the operating system level would require tapping into the phone line, mimicking the remote device, and having the valid application password.
Unlike a leased line connection which is permanently "hard wired" end to end by the telephone company, anyone with a telephone handset can dial the phone number of a computer system that accepts incoming dial calls. So security for computers in dial environments was achieved by either allowing only outgoing calls (and refusing all incoming calls) or else by accepting dial calls and then using a dial-back method. In the dial-back method, a user of a remote console or card device desiring access to the central computer would dial into the system over a public dial network number, providing the remote user's own phone number. The computer at the data center would then terminate the call, check to see if the remote caller's phone number was on the approved phone number list, and, if it were, then the data center's communications equipment would dial the remote user so that communication could occur. As with leased line connections, operating system- level security together with application program-level password security effectively prevented unauthorized access to the computer system. Overall then, in systems of the 1960s and through the 1980s, the user's i.d., the user's device, the user's network connection, and/or the user's password uniquely identified the user for purposes of authorization for system access.
While the dial-back method helped ensure system security at levels comparable to that of the hardwired leased line environment, the dial environment had a security issue peculiar to it and from which leased line systems did not suffer. Anyone who knew the central computer's dial port phone number(s) could repeatedly dial into the system, thereby tying up all of the computer's dial access ports and preventing access by legitimate users.
Moreover, system resources would be occupied by the burden of repeatedly checking authorization and rejecting the unauthorized caller, thereby consuming valuable computer system resources, farther disrupting the computer services of the organization. For this reason, armed forces and police agencies kept computer dial access numbers strictly confidential, revealing them only on a "need to know" basis. Businesses learned to do this as well. For example, during the oil shortages of the 1970s, when petroleum product prices skyrocketed, oil companies became highly conscious of ensuring that their computer access dial numbers were kept in strictest confidence for fear that disgruntled parties would "jam" their computer systems with unwanted calls.
So, where systems were exposed to general access through the public dial network, the art of network security consisted in part of simply keeping the dial numbers secret in order to prevent disruptive jamming attacks.
In the 1990s businesses and organizations of all types found themselves with a requirement to attach to the Internet in order to engage in commerce with or provide information to the public. The primary purpose of communications systems prior to the Internet was to enable the members of an organization to connect to their own organization's computer systems. In the Internet environment, organizations connect to the worldwide web often for the express purpose , 1 õ ,i 1 11 of allowing anyone from anywhere to connect to their system. The procedures for system security that predated the Internet, namely, end-to-end hardwired leased line connections, dial-back, and application password protection that had worked well for intra-organization communication needed upgrades to meet the challenges of the new, open environment. In particular, the procedures of leased line connections, dial-back mechanisms, keeping access numbers (network addresses) secret, and operating system definitions and authorization lists were designed specifically to prevent "strangers" from accessing the organization's computer systems. In the Internet environment, it is often desirable for the organization to make its systems known to worldwide web search engines precisely for the purpose of ensuring that anyone, anywhere can locate the systems, traverse the Internet, and gain access to the organization's computing systems.
With "strangers" everywhere able to access the systems of virtually every major organization across the Internet, new procedures were developed for protecting the computer-resident resources of organizations. The new procedures included use of the TCP/IP
protocol and firewall technology.
TCP/IP protocol includes the addressing of network transmission packets by means of sockets. A socket consists of an IP network-level address (representing the address of the device's network adapter) plus a TCP application-level address. Each network packet contains a "from" socket and a "to" socket. These sockets represent the originating device's network address and application identifier and the target device's network address and application identifier. Sockets provide a basis for network security because they identify the location of the packet's originator as well as the service (i.e., application) being requested. At the destination site, incoming packets can be examined and it can be determined, for example, whether or not the incoming packet's source address is that of a device that belongs to the organization, and whether or not the application service being requested is a secure (private) or non-secure (public) service.
A special device can be set up to "filter" incoming requests by examining their source and destination sockets and thus serve as a gatekeeper that protects an organization's internal processing systems from intruders while allowing all comers to access to the organization's 11 1 11 r k I 61 public processing systems. These special devices are called "firewalls," and they examine incoming packets' source and target sockets and determine from customized tables whether the request should be forwarded or discarded. A firewall would be used by, say, an automobile manufacturer to make sure that anyone can connect to its systems through the Internet to get general information about the models it sells and currently available rebates, while also making sure that only authorized parties can access the systems that process that company's accounts payable systems. Often firewalls are set up "behind" the organization's publicly accessible systems so that they only examine packets addressed to the organization's private, restricted-access systems in order to deny service to unauthorized parties. In this design, firewall devices are thus spared the overhead of examining packets targeted for the publicly accessible systems and only examine packets targeted for the organization's private systems and applications.
However, the current art for network and system security, which uses TCP/IP
socket protocol and firewall technology does not provide complete protection for an organization's systems. Just as systems with dial ports have an exposure to "jamming" by anyone with a telephone, Internet connected systems have a similar exposure to anyone with an Internet-connected computer. Exacerbating the problem is that while it is possible and desirable for an organization to keep its computer dial access numbers secret, it is usually not desirable to do so with web addresses of systems designed for public access. This leaves the systems of Internet-connected organizations open for attacks, including jamming attacks known as denial of service (DOS) attacks or distributed denial of service (DDOS) attacks, in which streams of traffic are directed at an organization's Internet-connected systems.
An article from the New York Times illustrates the magnitude of the problem and the current helplessness of even state of the art facilities to cope with such attacks:
The CERT Coordination Center is one of the premier places that the online world turns to for information when computer vandals attack; the federally financed research center, operated by Carnegie Mellon University, has long served as a clearing house for news on new viruses, worms, and other virtual nastiness. But yesterday and Tuesday it was CERT
that was being bombarded, and the center did not hold. Its web site was knocked out by a distributed denial of service attack, in which malicious hackers take over computers on the Internet and cause them to flood a target site with demands for data and other small tasks. A denial of service does not involve a break-in at the target site; it just keeps the victim's machine so busy responding to the stream of automated requests that legitimate visitors cannot get in. CERT, which stands for Computer Emergency Response Team, thus became one of thousands of sites each week to be subjected to this form of attack.
(The Web site for the White House also came under attack on Tuesday and was blocked for about six hours , Jimmy Orr, a White House spokesman, said.) At Carnegie Mellon University in Pittsburgh, data flowed into the CERT network at rates "a couple of hundred times higher than any peak we've ever seen before," said Rich Pethia, director of the part of the Software Engineering Institute at Carnegie Mellon that runs CERT.
Although computer viruses, worms, and other so-called malware can be countered with good security practices, and up-to-date defensive software, distributed denial of services attacks are hard to protect against, Mr. Pethia said: "There is no good way to defend against it or stop it once it's started. The Internet wasn't built with any built-in flow control, so there's no way to throttle back" on such attacks. He said that no one had determined where the attacks had come from and that the case was being investigated.
The commandeered computers, which security experts call zombies, are often programmed to fabricate the Internet's version of a return address so that the sources of the attack are obscured. About 4,000 sites experience denial of service attacks each week, according to a new paper from researchers at the University of California at San Diego... New York Times May 24, 2001, section C, page 5, John Schwartz, "Computer Vandals Clog Antivandalism Web site."
As this article illustrates, the current art contains no effective means of defending public web sites from DDOS attacks.
DENIAL Oh SERVICE ATTACItS
Backgrouitd ol' thc Tttventiou Technical Field of the Invention 'l'his invenlion relates to tnortitirrirtg and analyzing a communications rictwork lirr the purpose o1'delecting "hacker" attacks ancl computer terrorism, and to providing lor delense and countcratlaclc. More partieularly, llie invention relates to measuring and rnonitoring ol'netwnrk perfonnanee and throughput, including detecticm c-l'abnomnal conditions indicating presence of cotnputer hacker denial of servicc attacks und reaction to such attacks by a varicty crl"rncans of ciepriving required resources to the hacker.
Background Art Manag,crs uf intorniation systems for publi;: and private enterprises are required to provide ever increasiiig nctwork accesti to tl,eir inf6rrnation systems. As tiiusiness requirements ?(1 for connection to the Tnternet grow, systctn sccurity c.ortccrrrti inea-ease in lock stc.h.
!n implctnontaticros ctf infon-nation systenis prior ttp to the tnid-196Us, no retnote systetll access was possible. Data was fed into and out of computerti from consoles, carcl punches, a.nd c.v.rcl readers all of which wcre clirecl-cahle at.taclied into the cotnputer.
No one outside ot'the i':ND9-2000-0185 1 r r "glass house" (i.e., computer room) had access to the system. The art of data-communications network security did not exist. Security was a local issue enforced by password protection, so that without the proper password, access to the data processing application would be denied.
Password protection ensured that no changes could be made to the system or its contents by unauthorized parties.
Later in the 1960s, remote console and remote card read and punch system access became possible using permanent leased line or dial telephone facilities. A user of the system no longer needed to be physically present in the computer room in order to view or to modify information or programs stored in the system. In order to protect information systems from unwanted access and modification, either of which could damage or destroy a business or organization, new means of protection were devised.
For leased lines, security was ensured by identifying to the computer's operating system the specific communications port to which the leased line was connected. Since the communications port on the computer was telephone wired (by telco modem) directly to the phone company's switching station and thence through other switching stations to the modem and communications port of the console or card/read punch at the remote location, it was extremely difficult for someone to achieve unauthorized access to a computer through its communications port. Specifically, to breach the leased line security at the operating system level would require tapping into the phone line, mimicking the remote device, and having the valid application password.
Unlike a leased line connection which is permanently "hard wired" end to end by the telephone company, anyone with a telephone handset can dial the phone number of a computer system that accepts incoming dial calls. So security for computers in dial environments was achieved by either allowing only outgoing calls (and refusing all incoming calls) or else by accepting dial calls and then using a dial-back method. In the dial-back method, a user of a remote console or card device desiring access to the central computer would dial into the system over a public dial network number, providing the remote user's own phone number. The computer at the data center would then terminate the call, check to see if the remote caller's phone number was on the approved phone number list, and, if it were, then the data center's communications equipment would dial the remote user so that communication could occur. As with leased line connections, operating system- level security together with application program-level password security effectively prevented unauthorized access to the computer system. Overall then, in systems of the 1960s and through the 1980s, the user's i.d., the user's device, the user's network connection, and/or the user's password uniquely identified the user for purposes of authorization for system access.
While the dial-back method helped ensure system security at levels comparable to that of the hardwired leased line environment, the dial environment had a security issue peculiar to it and from which leased line systems did not suffer. Anyone who knew the central computer's dial port phone number(s) could repeatedly dial into the system, thereby tying up all of the computer's dial access ports and preventing access by legitimate users.
Moreover, system resources would be occupied by the burden of repeatedly checking authorization and rejecting the unauthorized caller, thereby consuming valuable computer system resources, farther disrupting the computer services of the organization. For this reason, armed forces and police agencies kept computer dial access numbers strictly confidential, revealing them only on a "need to know" basis. Businesses learned to do this as well. For example, during the oil shortages of the 1970s, when petroleum product prices skyrocketed, oil companies became highly conscious of ensuring that their computer access dial numbers were kept in strictest confidence for fear that disgruntled parties would "jam" their computer systems with unwanted calls.
So, where systems were exposed to general access through the public dial network, the art of network security consisted in part of simply keeping the dial numbers secret in order to prevent disruptive jamming attacks.
In the 1990s businesses and organizations of all types found themselves with a requirement to attach to the Internet in order to engage in commerce with or provide information to the public. The primary purpose of communications systems prior to the Internet was to enable the members of an organization to connect to their own organization's computer systems. In the Internet environment, organizations connect to the worldwide web often for the express purpose , 1 õ ,i 1 11 of allowing anyone from anywhere to connect to their system. The procedures for system security that predated the Internet, namely, end-to-end hardwired leased line connections, dial-back, and application password protection that had worked well for intra-organization communication needed upgrades to meet the challenges of the new, open environment. In particular, the procedures of leased line connections, dial-back mechanisms, keeping access numbers (network addresses) secret, and operating system definitions and authorization lists were designed specifically to prevent "strangers" from accessing the organization's computer systems. In the Internet environment, it is often desirable for the organization to make its systems known to worldwide web search engines precisely for the purpose of ensuring that anyone, anywhere can locate the systems, traverse the Internet, and gain access to the organization's computing systems.
With "strangers" everywhere able to access the systems of virtually every major organization across the Internet, new procedures were developed for protecting the computer-resident resources of organizations. The new procedures included use of the TCP/IP
protocol and firewall technology.
TCP/IP protocol includes the addressing of network transmission packets by means of sockets. A socket consists of an IP network-level address (representing the address of the device's network adapter) plus a TCP application-level address. Each network packet contains a "from" socket and a "to" socket. These sockets represent the originating device's network address and application identifier and the target device's network address and application identifier. Sockets provide a basis for network security because they identify the location of the packet's originator as well as the service (i.e., application) being requested. At the destination site, incoming packets can be examined and it can be determined, for example, whether or not the incoming packet's source address is that of a device that belongs to the organization, and whether or not the application service being requested is a secure (private) or non-secure (public) service.
A special device can be set up to "filter" incoming requests by examining their source and destination sockets and thus serve as a gatekeeper that protects an organization's internal processing systems from intruders while allowing all comers to access to the organization's 11 1 11 r k I 61 public processing systems. These special devices are called "firewalls," and they examine incoming packets' source and target sockets and determine from customized tables whether the request should be forwarded or discarded. A firewall would be used by, say, an automobile manufacturer to make sure that anyone can connect to its systems through the Internet to get general information about the models it sells and currently available rebates, while also making sure that only authorized parties can access the systems that process that company's accounts payable systems. Often firewalls are set up "behind" the organization's publicly accessible systems so that they only examine packets addressed to the organization's private, restricted-access systems in order to deny service to unauthorized parties. In this design, firewall devices are thus spared the overhead of examining packets targeted for the publicly accessible systems and only examine packets targeted for the organization's private systems and applications.
However, the current art for network and system security, which uses TCP/IP
socket protocol and firewall technology does not provide complete protection for an organization's systems. Just as systems with dial ports have an exposure to "jamming" by anyone with a telephone, Internet connected systems have a similar exposure to anyone with an Internet-connected computer. Exacerbating the problem is that while it is possible and desirable for an organization to keep its computer dial access numbers secret, it is usually not desirable to do so with web addresses of systems designed for public access. This leaves the systems of Internet-connected organizations open for attacks, including jamming attacks known as denial of service (DOS) attacks or distributed denial of service (DDOS) attacks, in which streams of traffic are directed at an organization's Internet-connected systems.
An article from the New York Times illustrates the magnitude of the problem and the current helplessness of even state of the art facilities to cope with such attacks:
The CERT Coordination Center is one of the premier places that the online world turns to for information when computer vandals attack; the federally financed research center, operated by Carnegie Mellon University, has long served as a clearing house for news on new viruses, worms, and other virtual nastiness. But yesterday and Tuesday it was CERT
that was being bombarded, and the center did not hold. Its web site was knocked out by a distributed denial of service attack, in which malicious hackers take over computers on the Internet and cause them to flood a target site with demands for data and other small tasks. A denial of service does not involve a break-in at the target site; it just keeps the victim's machine so busy responding to the stream of automated requests that legitimate visitors cannot get in. CERT, which stands for Computer Emergency Response Team, thus became one of thousands of sites each week to be subjected to this form of attack.
(The Web site for the White House also came under attack on Tuesday and was blocked for about six hours , Jimmy Orr, a White House spokesman, said.) At Carnegie Mellon University in Pittsburgh, data flowed into the CERT network at rates "a couple of hundred times higher than any peak we've ever seen before," said Rich Pethia, director of the part of the Software Engineering Institute at Carnegie Mellon that runs CERT.
Although computer viruses, worms, and other so-called malware can be countered with good security practices, and up-to-date defensive software, distributed denial of services attacks are hard to protect against, Mr. Pethia said: "There is no good way to defend against it or stop it once it's started. The Internet wasn't built with any built-in flow control, so there's no way to throttle back" on such attacks. He said that no one had determined where the attacks had come from and that the case was being investigated.
The commandeered computers, which security experts call zombies, are often programmed to fabricate the Internet's version of a return address so that the sources of the attack are obscured. About 4,000 sites experience denial of service attacks each week, according to a new paper from researchers at the University of California at San Diego... New York Times May 24, 2001, section C, page 5, John Schwartz, "Computer Vandals Clog Antivandalism Web site."
As this article illustrates, the current art contains no effective means of defending public web sites from DDOS attacks.
Initially, DOS attacks came from individual machines from which individual hackers streamed data (e.g., ping echo packets) to web-attached servers in an effort to flood the network and burden the server with the overhead of handling the stream of data.
Attacked parties learned how to diagnose, stop, and take network traces (a log of all network traffic) of DOS attacks by "lone wolf' hackers.
Today, hackers have the upper hand, because they have learned how to take control of or "borrow" multiple web-attached computers in different organizations ("masters"), use these master machines to infiltrate many more computers in different organizations ("zombies"), embed DOS attack code scripts (or, trojan-horses) in the zombies through the masters, and then issue commands from the masters to the zombies to run the scripts directed at the server(s) of a targeted organization.
The hackers, twice removed from the attacking zombie machines, are difficult to trace.
The attacks coming from many different zombies in many different networks comprise DDOS
attacks that are hard to detect and control. The scripts run by the zombies are a nasty assemblage of echo packet floods, status requests, incomplete logins, deliberate causes of connection error conditions, false reports of errors, and transmissions of packets requiring special handling. These vicious scripts, run from hundreds or thousands of zombies, are designed to flood the network, tie up system control blocks, and siphon web server computing power to the point that the attacked webserver network and system can no longer provide service to legitimate users. All the while, the zombie computers causing the damage are owned by legitimate organizations which have no idea that their systems are being used in attacks on other organizations.
The current best procedure for defending against such attacks, as documented in the CERT web site, consists of owners of web sites monitoring the network and server equipment they own for conditions of abnorrnally high utilization. When detected, high utilization is reported to the Internet Service Providers (ISPs) through which the organization connects to the Internet. Each ISP network connects to a large number of organizations. The ISPs then search their networks in order to fmd areas of low utilization. The ISPs trace (i.e., record) all user traffic in that area of low utilization, and then scan the recorded traces looking for devices that are issuing sequences of commands of type and frequency that attacking zombies would issue.
Zombies are easier to locate in areas of lower as opposed to higher utilization because the zombies contribute a relatively higher proportion of the records in the trace log, so their activity is more readily identified. Once a zombie is located, the ISP can trace all traffic from that zombie to the attacked system, thereby enabling those fighting the attack to better understand its nature. And although commands from the master computers to the zombies are not necessary once an attack has started, an ongoing trace of the zombie's activity can, with luck, record commands being sent from the zombie's master (the computer which has loaded attack code scripts into the zombie and activated the attack). When a master is found, it is possible not only to regain control of the master, but also to reclaim all of the zombies under its control. With very good luck, it may also be possible to take traces from a master computer and locate the hacker controlling the master, although skilled hackers usually perform "hit and run"
operations in which they start and stop attacks and erase their footprints in a matter of hours, long before the currently available problem diagnosis and identification processes can be effectively employed.
A sixteen year old Canadian who brought down the sites of Amazon.com, Yahoo, e-Bay, and Charles Schwab, was identified months after his attacks not as a result of the extensive forensic diagnostic effort undertaken in response, but rather because the youth bragged in an online chat group (Ellen Messmer and Denise Pappalardo, Network World, Feb. 12, 2001).
The current procedure thus has deficiencies in the speed with which attacks are detected and the speed and efficacy of reaction to such attacks. In the future, the weak security functions and administration processes that allow hackers to take over innocent systems will be improved, making creation of armies of zombies by hackers a much more difficult task. In addition, filtering intelligence, which currently runs at the processor level and is therefore too slow and expensive to apply in a sophisticated manner to all traffic entering a web site, will be embedded into the microcode on the router cards that control individual network interfaces.
a The distribution and lowering of cost of router function can be expected to improve early recognition of attacks and quick reaction by invocation of filtering to slow or stop DDOS attacks.
And in the future environment in which distributed filtering prevents attacks involving floods of administrative requests, it can be anticipated that hackers will attempt DDOS
non-administrative flooding of servers.
In response to the current DDOS environment, it is an object of the invention to provide system and method for faster, more effective detection of utilization spikes associated with DDOS attacks.
It is desired to provide a system and method for prevention of both administrative and non-administrative message flooding DDOS attacks.
Summary of the Invention In accordance with the a first aspect of the invention, a system and method is provided for detection of DDOS (distributed denial of service) attacks, including issuing a bit mapped challenge in response to a login request from a requester of services; and responsive to an incorrect response to the challenge, placing the requester in a state of limited service.
In accordance with a second aspect of the invention, a system and method is provided for detection of DDOS attacks, including executing a network probing test frame transmission and analysis procedure to detect a hacker denial of service attack; and responsive to detecting a denial of service attack, placing the hacker in a lower level of service state.
In accordance with an aspect of the invention, there is provided a computer program product configured to be operable to detect and respond to distributed denial of service attacks.
Other features and advantages of this invention will become apparent from the following detailed description of the presently preferred embodiment of the invention, taken in conjunction with the accompanying drawings.
Brief Description of the Drawings Figure 1 illustrates a communications network and network evaluation system in accordance with the preferred embodiment of the system of invention for detecting and preventing DDOS attacks.
Figure 2 illustrates a communications network and system for recognition of attacks and identification of stations involved in attacks.
Figure 3 illustrates a bit-encoded login challenge display of an exemplary embodiment of the invention.
Figure 4 illustrates an exemplary embodiment of the invention for load balancing a distributed denial of service attack to a low quality service provider.
Best Mode for Carrying Out the Invention In pending patent application Silverman 1, methods are provided for determining the discrete speed and utilization of a network and the streaming speed and utilization of a network.
Discrete (i.e., individual) packets and streams of packets travel at different speeds across any given multihop connection. The stream has a rate approaching the bottleneck facility speed in the connection, while discrete packets travel at a slower speed. End-to-end discrete utilization increases incrementally for each hop with competing traffic in the connection, whereas streaming utilization has effect only on that hop having the lowest available throughput.
By means of the system and method described in the predecessor patent application, the end- to-end discrete and streaming speeds and utilizations of the network can be computed for any connection.
One level of DDOS detection consists of using the system and methods described to detect spikes in streaming and discrete utilization. Since this method works across both the network of the web server under attack and the network of the ISPs across which the attack is occurring, the attacked party will (1) recognize the attack more quickly than before; (2) recognize areas of higher network utilization and lower utilization in both the intranet and in the connecting ISP networks so that the organization under attack can provide fast guidance to the ISPs as to the location of areas of low utilization (where traces can be taken with a degree of probability of locating instances of zombies) and high utilization (where defensive ISP
router filtering scripts may most profitably be invoked) instead of relying on the ISPs to perform this activity; and(3) be able to "fingerprint" the utilization patterns of zombies and identify their occurrences thus enabling faster recognition of attacks and faster diagnosis of the origin of the attacks.
In accordance with a preferred embodiment of the invention, a system and method is provided for preventing DDOS attacks. DDOS attacks are accomplished by hackers who infiltrate sets of computers (masters) and then use each master to infiltrate "trojan-horse" code scripts into a large number subservient computers (zombies). The zombies' scripts are then activated at some point of time in a coordinated attack on an organization's web server system.
Zombies are "borrowed" machines that run scripts to attack.
Referring to Figure 1, S1, S2, ... S6 are server machines, meaning that they are computers running application programs accessed by local and remote users; T1, T2, ... T9 are test stations, meaning that they run the code that performs network speed, utilization, and latency testing as described in Silverman 1; and Zi, Z2,... Z4 are zombie machines, meaning that they have been taken over by hackers who have installed code designed to attack servers addressable through the Internet (i.e., the zombies contain trojan-horse code intended for attack on web site servers SI,...S6).
Organization 1 has a set of three web servers S1-S3 in its intranet 20 that are connected to Internet 22. In this instance, although it is not necessary, they are depicted as being protected by a firewall 24. Since servers S 1-S3 are intended for public access, firewall 24 is optional. Not depicted is a possible connection between this intranet 20 and a more secure intranet which would house servers belonging to Organization 1 that are not intended for public access. These latter servers, which might house applications such as accounts payable and receivable, would certainly be protected by a firewall which filters traffic in an effort to allow only authorized parties to access those secure servers.
Three test stations T1-T3 are depicted in Org 1's intranet 20. Not all three are required.
However, T2 depicts that a test station can be located within an application server S3, T3 within or adjacent to the firewall 24, or T1 anywhere else within intranet 20.
The application service provider (ASP) intranet 26 has the same setup. This is a third party entity that for a fee hosts web services for organizations such as Organization 1. Akamai is an example of an ASP.
Test stations T 1-T3 can perform testing within the Org 1 intranet 20. Test stations T6-T8 can perform testing within the ASP intranet 26. For example, T1 can test T2, T3, S1, S2, and S3.
T4 belongs to Org 1 but sits outside the Org 1 firewall and is not part of the Org 1 intranet. T4 is connected to internet 22 without firewall separation. It can perform testing anywhere in and across the internet up to any firewall. So T4 can test Z4, T5, and T9.
Testing is ordinarily performed by means of ICMP pings. ICMP is part of the TCP/IP
protocol stack, so nearly all Internet connected devices respond to pings.
Ordinarily, firewalls do not allow pings to pass, so testing is normally easy within networks and up to their firewalls.
Firewalls that do not pass pings can be successfully passed through for testing if there is a port (an application address) for which the firewall does not block traffic and for which the testing station and receive station are programmed to communicate. Such programming is also required for one way pinging, as described in Silverman 1.
By way of example, in operation, suppose a hacker has taken over and zombified (that is, infected with a trojan-horse code) Z1,...,Z4. Suppose Organization 1 services web users through servers S1,...,S3 in its intranet 20 as well as through S4,...,S6 in the ASP
intranet 26. Org 1 pays a fee to the ASP and both the ASP and Org 1 have test equipment running the test code.
Suppose also that zombies Z1,...,Z4 contain no cooperative code for testing, and that they will only respond to pings. Suppose further that Organization 2, which is the unwitting owner of Zombies Z1,...,Z3, has programmed its firewall so that pings do not get through it. The hacker has set a timer, and now the attacks begin.
T3 and T6 have been monitoring their respective intranets 20, 26, so there is a record of average utilization (per time of day). If the zombies are successful, a utilization increase will be observed.
T4, T5, and T9, (T9 is owned by Org 1 but connected directly to the internet, possibly from an employees home or a remote Org 1 office) monitor Internet 22. They can detect areas of abnormally high utilization and can probe to find hot spots. Areas of low utilization can be reported to internet service providers (ISl's) so that they can perform tracing. In this case, T9, T4, or T5 might detect that ISP 2 (or a specific portion of ISP 2) is an area with some connections to its web site but with relatively low activity. Thus, the ISP 2 could be directed rapidly to trace and locate sources of suspicious activity. Testing could be performed possibly up to firewall 30 to determine that it is a hotbed of zombie activity. Various protective actions could then be taken, such as notifying Organization 2 and, possibly, invoking filtering at firewalls 24 and 32 to deny access to organization Org 1 and ASP organization 2 resources.
Referring to Figure 2, a hacker seiver 40 is located on Internet 42. This device contains scripts which hackers can load into their systems and then probe for susceptible web-attached devices into which the scripts can be loaded as trojan-horse code. These devices will become zombie masters Z 1-Z3. In turn, the zombie masters Z 1-Z3 can infiltrate hundreds or thousands of other web-attached computers, turning them into zombies, which can be unleashed as an army of attackers on command from the master.
Hacker servers 40 are often well-known devices with addresses available through Internet chat-rooms. As shown in Figure 2, Unix and Windows systems 44-49 are located in an organization's test network 50. Various versions of Unix and Microsoft Windows operating systems are the prevalent operating systems for web-attached devices, and the diagram represents that some combination is being employed here. These devices 44-49, on Test Net 50, can access Internet 42 and download master attack scripts from hacker server 40. Test devices located Test Net 2 can be taken over by these masters and enrolled as zombies Z1-Z3. The zombies can then launch an attack on servers (here depicted as S1,...,S3 on Test Net 50, although they could be on any other test network).
T1,...,T3 are network testing devices running the code described in this application and in Silverman 1, which measures network speed, latency, and utilization.
Successive tests can be run to see the utilization patterns of individual zombies and groups of zombies to fingerprint the patterns of traffic generated by different, well-known attack scripts, or trojan-horse code.
This will aid in recognition of attacks and identification of stations involved in attacks.
Two notes. First, many organizations already have such test networks in place in order to test new releases of code and to assist in capacity and change tests. So a test station such as T2 could be used to determine and record the patterns of a normal system load as well as how that load changes when an attack is launched. Second, without loss of generality, a firewall (not shown) could be set up between Test Net 50 and Test Net 54, and the patterns of traffic from the zombies could be observed from both Test Net 1 and Test Net 2.
The attack prevention system and method of a preferred embodiment of the invention includes a bit-mapped challenge issued by the web server to any login request.
Preferably, the challenge contains no EBCDIC or ASCII text. All text and pictures are bit-mapped, so that without a human operator's intervention, the simple challenges to the login request (e.g., "click on the picture of the cow to continue," with 20 different types of animals pictured, or "enter the result of adding two plus two in the box to the lefft" ) cannot be correctly answered by the zombie except by blind luck. Devices that respond incorrectly to the challenge are placed into a state of "purgatory" in which they receive lower or reduced service, such as very limited service or none I. li k 1 11 at all. Devices with human operators will easily answer the challenge, and receive first-class service. This method will prevent zombies from asking for repetitive services from the web site servers from within a connection. From a system perspective, this prevents the zombies from causing connection- supporting control blocks to be maintained and server resources to be used in sufficient quantity to deny service to others.
However, it is still possible that a zombie will iteratively request connection to a web site, even if it will not be able to connect. In this case, the network address of the zombie device will be known to the firewall and/or load balancing software (load balance server 64, Figure 4) so that subsequent connection requests can be filtered out or shunted to a connection with the purgatory (lower) level of service (service provider 62, Figure 4). This method will be effective in cutting off individual or very large numbers of attacking zombies, and can be "akamaized" (that is,placed at the edge of the Internet by a service provider, such as Akamai servers), thereby lirniting the traffic overhead of zombies.
In some instances of attacks, zombies will repeatedly request connections that their controlling scripts will not complete, thereby tying up the attacked system's control blocks, denying system access to others, and will give a new false address for each such attempt. For such cases, the system and methods of Silverman 1 and 2 provide a method for determining the speed, latency, and average queuing delay of the network. This information is then used to help set a timeout value tailored to each login request, so that if the user does not complete the login within the time limit, the control blocks are freed. Repetitive efforts from a station which masquerades under fictitious addresses can be pinpointed by the unique speed and latency of their connection and ejected immediately, or placed into limited service or purgatory category, such as cutting off entirely or providing a lower level of service, thereby freeing prime web site service for legitimate users. Using the methods of Silverman 1 and 2, a plurality of network evaluation signals, or probative test packets, are selectively sent and received through the network. Responsive to these evaluation signals, selective network evaluation parameters are determined and stored. Algebraic, statistical, and queuing theory analysis, responsive to these parameters, determines the response time and throughput characteristics, including capacity, utilization and performance, of the network. Responsive to network evaluation parameters that are determined and stored, a system and method for determining presence of network "hacker attacks" and for lessening the effect of, discouraging, and repelling such attacks by a "challenge-response" is provided.
The system and method of the preferred embodiment of the invention combines a challenge- response login procedure with use of a network probing test frame transmission and analysis procedure. The challenge-response procedure and the network probing test frame transmission procedure can run separate from each other or together for the purpose of DDOS
detection and deterrence and further for improving system performance and system management.
The challenge-response procedure of a preferred embodiment of the invention is provided for detecting and preventing robotic logins to public web servers.
The probative test and analysis procedure of a preferred embodiment of the invention provides for (1) creating template fmgerprints or signature patterns of attack patterns; (2) establishing the historical, current, and predicted future of states of a network for all types of network traffic; (3) determining if a spike in traffic is a distributed denial of service (DDOS) attack; and if so, determining its sources; (4) determining the unique speed and latency network attachment characteristics of devices when they attempt to connect or when it is determined that the connection will not be successful or after connection when a pattern of abusive behavior is observed; and (5) using that pattern to deny service or give lower service to that device when it requests additional service.
The challenge-response and probative methods together or independent of each other enable or assist in enabling detection of devices participating in DOS and DDOS attacks and upon identification of devices participating in attacks, minimize the effect of the attack and/or minimize the ability of the device to continue its attack.
nl I I I, I Ili I kI I
The system and method of the preferred embodiments of the invention complement and strengthen other techniques for defeating DDOS attacks. Other techniques for suppression of DDOS attacks include (1) shoring up "backdoor" access to web-attached servers through which hackers install "trojan-horse" code from which they can commence DDOS attacks;
and (2) implementing filtering technology on router cards so that attacks can be recognized and inhibited at the edge of the network thereby protecting the servers and the network.
Shoring up backdoor access will rely on implementation of new technology and management processes on millions of computers. Any such effort will take years to be fully effective. In the meantime, hackers will be able to commandeer multitudes of web-attached computers from which they can launch DDOS attacks. Such filtering techniques will be developed for detection of attacks based upon non-login, pre-login, or incomplete login flooding, and these filtering mechanisms will be implemented on router cards at low expense, with a predicted high degree of success in limiting this type of DOS and DDOS attack.
In other words, future attack suppression technology is focused on preventing devices not connected to servers from pestering these servers repeatedly and from many sources with administrative requests, error reports, and deliberately incomplete login requests, all of which can deplete resources to the point that the attacked system can no longer function. Future attacks may therefore take the form of creating scripts that complete login connections and then repeatedly ask for service within the legitimate connection in order to bypass the filters in routers programmed to discard excess traffic that is not associated with a validly logged-in connection.
In a preferred embodiment of the invention, the challenge-response method, web servers respond to login contacts with a challenge to which it is trivially simple for a human operator to successfully respond correctly, but to which a programmed machine will have minimal odds of successfully responding. When implemented, any login activity that does not complete successfully can be shunted to a limited resource web server system component that will service all further requests originating from that requestor. The decision process regarding level of service can be provided by the load balancing software typically found in medium and large web i !II if server sites (see Figure 4). Further challenges can be issued with failure to correctly respond resulting in additional reduction or complete denial of service, and successful response resulting in continued service, possibly at an improved or normal level of service.
Similarly, for connections running at a normal level of service, the web server could implement the challenge-response method periodically throughout the connection to identify robot machines that are masquerading as legitimate users and reduce or deny service to such suspected zombie machines.
The challenge-response mechanism works by making it very difficult for a machine without an extremely high degree of artificial intelligence installed to respond meaningfully to simple invitations to input data that a human operating the equipment would have no trouble completing. This will make it nearly impossible for a hacker who can install trojan-horse code on a large number of web-attached devices to make these devices capable of successfully logging in to a particular site and overwhelming that site with requests for service from within a connection.
In accordance with an exemplary embodiment, a challenge-response procedure works as follows. Users connect to a web site by identifying the target web site through an Internet browser, or equivalent. To connect to "XYZ Company," the user (or zombie script) enters "www.xyzco.com" and, in return, receives the initial login screen from the XYZ
Company's web server. Under this challenge-response method, the logon screen contains no computer (language) recognizable text, such as EBCDIC or ASCII encoded characters. Rather all text, or at least that text related to the challenge, is a bit-mapped image of text, easily readable by a human. The text which is readable by humans but not machines, invites the user to continue the connection (logon) by clicking on one of several possible "radio buttons," or by entering text into a designated area or equivalent. There may be only one correct response and correct screen input area for that response, and the input area for the response can be randomly shuffled to further decrease the odds of a correct response by a zombie. The response from the device goes to the web's load balancing system, or other dedicated or shared resource available for evaluating the response, which assigns normal service to responses with the correct selection, and either rejects or connects end devices with incorrect responses to lower priority services, possibly including deliberate service delays. The incorrect response is logged and saved, with a record of the address of the requesting station being stored, as well as the discrete speed, streaming speed, and latency of the connecting device. Additional requests from that device will be recognizable as coming from a possible zombie and can be afforded even slower service or denied service completely.
After a user-defmed number of incorrect responses, the address of an offending system and/or its latency and speed fmgerprint can be added to the router-based filtering system so that packets from the offending device will be rejected and not reach the web server at all. In this manner, the web server can be protected from repetitive requests from non-human driven attacking systems from within connections or when establishing connections.
Figure 3 illustrates an example of the challenge/response method. Figure 3 depicts a bit-encoded login challenge question, requiring the user to read a question and answer it. In this example, the login question is "TO ENTER WEBSITE XYZCO, PLEASE CLICK ON THE
COW'S TAIL". The significance of bit encoding is that the challenge is not composed of machine readable USASCII or EBCDIC text. Rather, it is a picture of the text, which an ordinary machine cannot understand. A human will have no problem responding correctly, whereas a machine will be unable to do so. By bit-encoding the login challenge, zombies will be foiled from gaining access to the web site and launching attacks from within valid connections.
In the future, router filtering will be so efficient and powerful that DDOS
attacks based upon pinging, spurious error messages, incomplete logins, and requests for status by non-logged in devices will be recognized and such traffic discarded before affecting the targeted web site and its servers. It can thus be predicted that DDOS attacks will be attempted from within validly logged in connections. This is because routers will very likely not be programmed to examine and interpret the contents of valid connections.sessions because of the difficulty and overhead involved, as well as for reasons of privacy and security. An example of an attack from within a validly logged-in session would take the form of enrolling armies of devices to connect to a server and periodically request a service, such as going to the Ford web site and pricing a red Crown Victoria, then a blue, diesel F-150, then a green 2 door Focus, etc.
Such zombies would appear as normal users, and could consume huge amounts of resource. A non-zombie version of such an attack is possible, but it would require hundreds of humans coordinating their actions over a long period of time to accomplish this.
The method for discovering and diagnosing DDOS attacks by recognizing abnormal increases in utilization works as follows. Pending patent application Silverman 1 describes a system and method for transmitting probative packets across a network and analyzing their transit times to determine the capacity of the network to handle streaming, discrete, and burst traffic, and their utilizations for these types of traffic. Zombie machines run scripts over and over, such scripts consisting of a variety of requests for service designed to flood a targeted web server and consume the web server's and/or its network's resources to the point that service to legitimate users is severely degraded or entirely prevented. As such, the zombie will have a rhythm or pattern of transmissions of discrete, burst, and stream packets that can serve as a fingerprint. There are known web sites from which hackers can download DDOS
methods, such as:
http://www.technotronic.com/denial.html and http://www.rootshell.com, and there are known tools for combining individual attack methods into scripts, and known tools (such as "trinoo" and "tribe") for combining groups of compromised systems into what CERT
refers to as "distributed denial of service clusters."
It is thus possible to download known attack methods, scripts, and tools and run them on systems in a test network, record their rhythmic patterns, and extrapolate the effect that any number of such systems would have on a network, for networks, while bursty in nature, have characteristic utilization patterns (for example, peaks of utilization at 10 AM and 1 PM are common in commercial networks). The mathematics for the overlaying of a new traffic load introduced by n zombie attacking devices on an existing network is:
[((n * new load bits per second)+ existing load bits per second) / network capacity bits per second] = new utilization Silverman 1 and 2 describe end to end network testing, and in their implementation in any end to end test a Tracroute command may be issued with which to locate all routers along that end to end path. The path from the test station (which can be installed in or co-located with any web server or router in the path) to any device or router in the path can thus be tested.
These advances make possible detection of hacker DDOS attacks regardless of whether or not the attacking devices are logged in to a site's servers, and also to pinpoint the location of the attacking devices, especially when teamed with fmgerprinting of individual devices by means of their speed and latency characteristics.
By using the techniques in Silverman 1 and 2, both the pattenrn of current utilization and the projected effect of zombies on that segment of the network are tested.
Each router along the path is thus be identified, and utilization spikes are identified and, by examining segments along a path, utilization increases are tracked to an origin point and thus attacks and individual zombies are identified without the extensive overhead, skill, and time-consumption required for reading traces and without needing to locate areas of low utilization. Moreover, the testing is performed from the web server site or from the ISP's network. This provides the additional advantage of allowing the manager of the web site to identify attacks and test for the locations of attackers without needing the cooperation of the ISP.
When attacking systems that have logged in are recognized, TCP window tuning may be used to slow down the connection. Silverman I and 2 formulas are used:
Am = average message size bytes (determined from testing common attack methods or from analysis of this attack instance) D network discrete speed (calculated from (long - short sample bits) * 2 /
(best long - best short time) L= network latency for this connection (calculated from best short round trip -service time for short sample) Ts = service time for average attack message = Am * 8/ network RTT = round trip service time for average attack message and protocol acknowledgment, _ [((Am * 8) + 40 ) / network discrete speed] + L
S network streaming speed (calculated from virtual best burst sample arrival bits divided by arrival time) Wb = optimum window bytes = RTT / S/ 8 Wm = optimum window messages = Am / (RTT / S / 8).
To provide degraded service by window manipulation, the connection window size (expressed as Wb or Wm) is reduced to whatever fraction of the optimum is desired.
Additional methods for slowing the connection from attackers are:
- instituting a delay parameter that slows acceptance of input from, or transmission of responses to attacking system (or any system in the "degraded service"
category) ~~= I I: ~I I 61 i - counterattacking by using denial of service methods on attacking systems (probably more suited to military, police, and counterinsurgency environments than business environments).
By way of example, the following mathematical calculation of utilization spike recognizes an attack and provides for decomposing the unitary end-to-end utilization measure into utilization by hop in a network. This routine answers the question, what is effect of change in utilization on response time?
1. User puts in a positive or negative percent change in discrete utilization (e.g. +10% or -8%), and an average round trip message size in number of characters.
2. Current discrete utilization % + change in discrete utilization %= U (where U is the new utilization %).
3. U/(1 - U) = new queue factor. (Use multi server factor, if applicable).
4. New queue factor * average message size * 8 / discrete bandwidth = new queue delay.
5 New queue delay - old queue delay = change in response time.
6. Add new queue delay to service time plus latency to get the new average response time.
This estimation result is then used in the following way. The load imposed on the system by n zombies executing a known attack, such as a trinoo attack script, is estimated by testing for various values of n. From the network perspective, this load is expressed as a number of bits per second. For each link connection from the web site to the Internet, there is obtained an expected utilization, a fixed speed, and an estimated number of bytes on queue. (Bytes on queue is average wait time * discrete speed / 8.) From utilization (denoted here as U), number of messages on queue is calculated by U / (1-U). Dividing queue depth in bytes by number of messages on queue the average message size is derived. Average service time for a message =
average message size / conversational speed. Arrival rate = U / service time for average message. Arrival rate * average message size = bits per second in network system.
Applying the derivation of bits per second in network from utilization to the trinoo script for n users and for the expected network load allows summing the two to estimate the total bits per second on the Internet connection when attacked by n zombies. Thus is estimated the projected effect of zombie attacks under particular known attack scripts.
Referring to Figure 4, devices Z 1-Z3 identified as being zombies and/or suspected of being zombies are shunted to the organization's (or ASP's) purgatory net 60, which provides low quality service through provider 62. This keeps the zombie Z1-Z3 occupied and, much the way police try to keep someone demanding ransom on the phone for as long as possible, the purgatory connection maintains contact with the suspect so that additional diagnosis can be performed and so that the zombie focuses on doing its mischief in a place where it does no harm.
Normal devices get first class service from the organization's (or ASP's) regular servers 66-67.
A device merits a purgatory connection if it fails the bit-encoded login test or if it is performing suspicious operations characteristic of those involved in DOS attacks.
Advantages over the Prior Art The advantages of the system and method of the preferred embodiment of this invention include providing an improved system and method for detection and prevention of DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks.
The preferred embodiment provides a means for web site owners to locate areas of lower and higher utilizations within ISP networks, so that faster detection of DDOS
attacks is possible and faster location by the ISP of specific attacking devices is possible.
~ I I ~ I I 41 It is a further advantage of the preferred embodiment that utilization patterns of known attack scripts can be identified and numbers of attackers can thus be estimated for each Internet interface, thus providing a new means for detection of attacks and estimation of the magnitude of the attack on each interface.
It is a further advantage of the preferred embodiment that detection of individual attacking machines is made possible by causing login invitations to be sent in bit-mapped form as opposed to text, thereby defeating zombie machines from being able to login to the webserver site, thereby preventing attacks from within connected sessions.
It is a further advantage that machines identified as attackers can be further profiled by the streaming speed, discrete speed, and latency of their network connection, even if they try to masquerade by repeatedly changing their network address.
It is a fixrther advantage that having identified attacking devices, a lowered level of service can be offered, service can be denied, or counterattacking measures can be implemented against the attackers.
Alternative Embodiments It will be appreciated that, although specific embodiments of the invention have been described herein for purposes of illustration, various modifications may be made without departing from the spirit and scope of the invention. In particular, it is within the scope of the invention to provide a computer program product or program element, or a program storage or memory device such as a solid or fluid transmission medium, magnetic or optical wire, tape or disc, or the like, for storing signals readable by a machine, for controlling the operation of a computer according to the method of the invention and/or to structure its components in accordance with the system of the invention.
~ i I 6'i I;I I II ~
Further, each step of the method may be executed on any general computer, such as IBM
Systems designated as zSeries, iSeries, xSeries, and pSeries, or the like and pursuant to one or more, or a part of one or more, program elements, modules or objects generated from any programming language, such as C++, Java, Pl/1, Fortran or the like. And still further, each said step, or a file or object or the like implementing each said step, may be executed by special purpose hardware or a circuit module designed for that purpose.
Accordingly, the scope of protection of this invention is limited only by the following claims and their equivalents.
i0
Attacked parties learned how to diagnose, stop, and take network traces (a log of all network traffic) of DOS attacks by "lone wolf' hackers.
Today, hackers have the upper hand, because they have learned how to take control of or "borrow" multiple web-attached computers in different organizations ("masters"), use these master machines to infiltrate many more computers in different organizations ("zombies"), embed DOS attack code scripts (or, trojan-horses) in the zombies through the masters, and then issue commands from the masters to the zombies to run the scripts directed at the server(s) of a targeted organization.
The hackers, twice removed from the attacking zombie machines, are difficult to trace.
The attacks coming from many different zombies in many different networks comprise DDOS
attacks that are hard to detect and control. The scripts run by the zombies are a nasty assemblage of echo packet floods, status requests, incomplete logins, deliberate causes of connection error conditions, false reports of errors, and transmissions of packets requiring special handling. These vicious scripts, run from hundreds or thousands of zombies, are designed to flood the network, tie up system control blocks, and siphon web server computing power to the point that the attacked webserver network and system can no longer provide service to legitimate users. All the while, the zombie computers causing the damage are owned by legitimate organizations which have no idea that their systems are being used in attacks on other organizations.
The current best procedure for defending against such attacks, as documented in the CERT web site, consists of owners of web sites monitoring the network and server equipment they own for conditions of abnorrnally high utilization. When detected, high utilization is reported to the Internet Service Providers (ISPs) through which the organization connects to the Internet. Each ISP network connects to a large number of organizations. The ISPs then search their networks in order to fmd areas of low utilization. The ISPs trace (i.e., record) all user traffic in that area of low utilization, and then scan the recorded traces looking for devices that are issuing sequences of commands of type and frequency that attacking zombies would issue.
Zombies are easier to locate in areas of lower as opposed to higher utilization because the zombies contribute a relatively higher proportion of the records in the trace log, so their activity is more readily identified. Once a zombie is located, the ISP can trace all traffic from that zombie to the attacked system, thereby enabling those fighting the attack to better understand its nature. And although commands from the master computers to the zombies are not necessary once an attack has started, an ongoing trace of the zombie's activity can, with luck, record commands being sent from the zombie's master (the computer which has loaded attack code scripts into the zombie and activated the attack). When a master is found, it is possible not only to regain control of the master, but also to reclaim all of the zombies under its control. With very good luck, it may also be possible to take traces from a master computer and locate the hacker controlling the master, although skilled hackers usually perform "hit and run"
operations in which they start and stop attacks and erase their footprints in a matter of hours, long before the currently available problem diagnosis and identification processes can be effectively employed.
A sixteen year old Canadian who brought down the sites of Amazon.com, Yahoo, e-Bay, and Charles Schwab, was identified months after his attacks not as a result of the extensive forensic diagnostic effort undertaken in response, but rather because the youth bragged in an online chat group (Ellen Messmer and Denise Pappalardo, Network World, Feb. 12, 2001).
The current procedure thus has deficiencies in the speed with which attacks are detected and the speed and efficacy of reaction to such attacks. In the future, the weak security functions and administration processes that allow hackers to take over innocent systems will be improved, making creation of armies of zombies by hackers a much more difficult task. In addition, filtering intelligence, which currently runs at the processor level and is therefore too slow and expensive to apply in a sophisticated manner to all traffic entering a web site, will be embedded into the microcode on the router cards that control individual network interfaces.
a The distribution and lowering of cost of router function can be expected to improve early recognition of attacks and quick reaction by invocation of filtering to slow or stop DDOS attacks.
And in the future environment in which distributed filtering prevents attacks involving floods of administrative requests, it can be anticipated that hackers will attempt DDOS
non-administrative flooding of servers.
In response to the current DDOS environment, it is an object of the invention to provide system and method for faster, more effective detection of utilization spikes associated with DDOS attacks.
It is desired to provide a system and method for prevention of both administrative and non-administrative message flooding DDOS attacks.
Summary of the Invention In accordance with the a first aspect of the invention, a system and method is provided for detection of DDOS (distributed denial of service) attacks, including issuing a bit mapped challenge in response to a login request from a requester of services; and responsive to an incorrect response to the challenge, placing the requester in a state of limited service.
In accordance with a second aspect of the invention, a system and method is provided for detection of DDOS attacks, including executing a network probing test frame transmission and analysis procedure to detect a hacker denial of service attack; and responsive to detecting a denial of service attack, placing the hacker in a lower level of service state.
In accordance with an aspect of the invention, there is provided a computer program product configured to be operable to detect and respond to distributed denial of service attacks.
Other features and advantages of this invention will become apparent from the following detailed description of the presently preferred embodiment of the invention, taken in conjunction with the accompanying drawings.
Brief Description of the Drawings Figure 1 illustrates a communications network and network evaluation system in accordance with the preferred embodiment of the system of invention for detecting and preventing DDOS attacks.
Figure 2 illustrates a communications network and system for recognition of attacks and identification of stations involved in attacks.
Figure 3 illustrates a bit-encoded login challenge display of an exemplary embodiment of the invention.
Figure 4 illustrates an exemplary embodiment of the invention for load balancing a distributed denial of service attack to a low quality service provider.
Best Mode for Carrying Out the Invention In pending patent application Silverman 1, methods are provided for determining the discrete speed and utilization of a network and the streaming speed and utilization of a network.
Discrete (i.e., individual) packets and streams of packets travel at different speeds across any given multihop connection. The stream has a rate approaching the bottleneck facility speed in the connection, while discrete packets travel at a slower speed. End-to-end discrete utilization increases incrementally for each hop with competing traffic in the connection, whereas streaming utilization has effect only on that hop having the lowest available throughput.
By means of the system and method described in the predecessor patent application, the end- to-end discrete and streaming speeds and utilizations of the network can be computed for any connection.
One level of DDOS detection consists of using the system and methods described to detect spikes in streaming and discrete utilization. Since this method works across both the network of the web server under attack and the network of the ISPs across which the attack is occurring, the attacked party will (1) recognize the attack more quickly than before; (2) recognize areas of higher network utilization and lower utilization in both the intranet and in the connecting ISP networks so that the organization under attack can provide fast guidance to the ISPs as to the location of areas of low utilization (where traces can be taken with a degree of probability of locating instances of zombies) and high utilization (where defensive ISP
router filtering scripts may most profitably be invoked) instead of relying on the ISPs to perform this activity; and(3) be able to "fingerprint" the utilization patterns of zombies and identify their occurrences thus enabling faster recognition of attacks and faster diagnosis of the origin of the attacks.
In accordance with a preferred embodiment of the invention, a system and method is provided for preventing DDOS attacks. DDOS attacks are accomplished by hackers who infiltrate sets of computers (masters) and then use each master to infiltrate "trojan-horse" code scripts into a large number subservient computers (zombies). The zombies' scripts are then activated at some point of time in a coordinated attack on an organization's web server system.
Zombies are "borrowed" machines that run scripts to attack.
Referring to Figure 1, S1, S2, ... S6 are server machines, meaning that they are computers running application programs accessed by local and remote users; T1, T2, ... T9 are test stations, meaning that they run the code that performs network speed, utilization, and latency testing as described in Silverman 1; and Zi, Z2,... Z4 are zombie machines, meaning that they have been taken over by hackers who have installed code designed to attack servers addressable through the Internet (i.e., the zombies contain trojan-horse code intended for attack on web site servers SI,...S6).
Organization 1 has a set of three web servers S1-S3 in its intranet 20 that are connected to Internet 22. In this instance, although it is not necessary, they are depicted as being protected by a firewall 24. Since servers S 1-S3 are intended for public access, firewall 24 is optional. Not depicted is a possible connection between this intranet 20 and a more secure intranet which would house servers belonging to Organization 1 that are not intended for public access. These latter servers, which might house applications such as accounts payable and receivable, would certainly be protected by a firewall which filters traffic in an effort to allow only authorized parties to access those secure servers.
Three test stations T1-T3 are depicted in Org 1's intranet 20. Not all three are required.
However, T2 depicts that a test station can be located within an application server S3, T3 within or adjacent to the firewall 24, or T1 anywhere else within intranet 20.
The application service provider (ASP) intranet 26 has the same setup. This is a third party entity that for a fee hosts web services for organizations such as Organization 1. Akamai is an example of an ASP.
Test stations T 1-T3 can perform testing within the Org 1 intranet 20. Test stations T6-T8 can perform testing within the ASP intranet 26. For example, T1 can test T2, T3, S1, S2, and S3.
T4 belongs to Org 1 but sits outside the Org 1 firewall and is not part of the Org 1 intranet. T4 is connected to internet 22 without firewall separation. It can perform testing anywhere in and across the internet up to any firewall. So T4 can test Z4, T5, and T9.
Testing is ordinarily performed by means of ICMP pings. ICMP is part of the TCP/IP
protocol stack, so nearly all Internet connected devices respond to pings.
Ordinarily, firewalls do not allow pings to pass, so testing is normally easy within networks and up to their firewalls.
Firewalls that do not pass pings can be successfully passed through for testing if there is a port (an application address) for which the firewall does not block traffic and for which the testing station and receive station are programmed to communicate. Such programming is also required for one way pinging, as described in Silverman 1.
By way of example, in operation, suppose a hacker has taken over and zombified (that is, infected with a trojan-horse code) Z1,...,Z4. Suppose Organization 1 services web users through servers S1,...,S3 in its intranet 20 as well as through S4,...,S6 in the ASP
intranet 26. Org 1 pays a fee to the ASP and both the ASP and Org 1 have test equipment running the test code.
Suppose also that zombies Z1,...,Z4 contain no cooperative code for testing, and that they will only respond to pings. Suppose further that Organization 2, which is the unwitting owner of Zombies Z1,...,Z3, has programmed its firewall so that pings do not get through it. The hacker has set a timer, and now the attacks begin.
T3 and T6 have been monitoring their respective intranets 20, 26, so there is a record of average utilization (per time of day). If the zombies are successful, a utilization increase will be observed.
T4, T5, and T9, (T9 is owned by Org 1 but connected directly to the internet, possibly from an employees home or a remote Org 1 office) monitor Internet 22. They can detect areas of abnormally high utilization and can probe to find hot spots. Areas of low utilization can be reported to internet service providers (ISl's) so that they can perform tracing. In this case, T9, T4, or T5 might detect that ISP 2 (or a specific portion of ISP 2) is an area with some connections to its web site but with relatively low activity. Thus, the ISP 2 could be directed rapidly to trace and locate sources of suspicious activity. Testing could be performed possibly up to firewall 30 to determine that it is a hotbed of zombie activity. Various protective actions could then be taken, such as notifying Organization 2 and, possibly, invoking filtering at firewalls 24 and 32 to deny access to organization Org 1 and ASP organization 2 resources.
Referring to Figure 2, a hacker seiver 40 is located on Internet 42. This device contains scripts which hackers can load into their systems and then probe for susceptible web-attached devices into which the scripts can be loaded as trojan-horse code. These devices will become zombie masters Z 1-Z3. In turn, the zombie masters Z 1-Z3 can infiltrate hundreds or thousands of other web-attached computers, turning them into zombies, which can be unleashed as an army of attackers on command from the master.
Hacker servers 40 are often well-known devices with addresses available through Internet chat-rooms. As shown in Figure 2, Unix and Windows systems 44-49 are located in an organization's test network 50. Various versions of Unix and Microsoft Windows operating systems are the prevalent operating systems for web-attached devices, and the diagram represents that some combination is being employed here. These devices 44-49, on Test Net 50, can access Internet 42 and download master attack scripts from hacker server 40. Test devices located Test Net 2 can be taken over by these masters and enrolled as zombies Z1-Z3. The zombies can then launch an attack on servers (here depicted as S1,...,S3 on Test Net 50, although they could be on any other test network).
T1,...,T3 are network testing devices running the code described in this application and in Silverman 1, which measures network speed, latency, and utilization.
Successive tests can be run to see the utilization patterns of individual zombies and groups of zombies to fingerprint the patterns of traffic generated by different, well-known attack scripts, or trojan-horse code.
This will aid in recognition of attacks and identification of stations involved in attacks.
Two notes. First, many organizations already have such test networks in place in order to test new releases of code and to assist in capacity and change tests. So a test station such as T2 could be used to determine and record the patterns of a normal system load as well as how that load changes when an attack is launched. Second, without loss of generality, a firewall (not shown) could be set up between Test Net 50 and Test Net 54, and the patterns of traffic from the zombies could be observed from both Test Net 1 and Test Net 2.
The attack prevention system and method of a preferred embodiment of the invention includes a bit-mapped challenge issued by the web server to any login request.
Preferably, the challenge contains no EBCDIC or ASCII text. All text and pictures are bit-mapped, so that without a human operator's intervention, the simple challenges to the login request (e.g., "click on the picture of the cow to continue," with 20 different types of animals pictured, or "enter the result of adding two plus two in the box to the lefft" ) cannot be correctly answered by the zombie except by blind luck. Devices that respond incorrectly to the challenge are placed into a state of "purgatory" in which they receive lower or reduced service, such as very limited service or none I. li k 1 11 at all. Devices with human operators will easily answer the challenge, and receive first-class service. This method will prevent zombies from asking for repetitive services from the web site servers from within a connection. From a system perspective, this prevents the zombies from causing connection- supporting control blocks to be maintained and server resources to be used in sufficient quantity to deny service to others.
However, it is still possible that a zombie will iteratively request connection to a web site, even if it will not be able to connect. In this case, the network address of the zombie device will be known to the firewall and/or load balancing software (load balance server 64, Figure 4) so that subsequent connection requests can be filtered out or shunted to a connection with the purgatory (lower) level of service (service provider 62, Figure 4). This method will be effective in cutting off individual or very large numbers of attacking zombies, and can be "akamaized" (that is,placed at the edge of the Internet by a service provider, such as Akamai servers), thereby lirniting the traffic overhead of zombies.
In some instances of attacks, zombies will repeatedly request connections that their controlling scripts will not complete, thereby tying up the attacked system's control blocks, denying system access to others, and will give a new false address for each such attempt. For such cases, the system and methods of Silverman 1 and 2 provide a method for determining the speed, latency, and average queuing delay of the network. This information is then used to help set a timeout value tailored to each login request, so that if the user does not complete the login within the time limit, the control blocks are freed. Repetitive efforts from a station which masquerades under fictitious addresses can be pinpointed by the unique speed and latency of their connection and ejected immediately, or placed into limited service or purgatory category, such as cutting off entirely or providing a lower level of service, thereby freeing prime web site service for legitimate users. Using the methods of Silverman 1 and 2, a plurality of network evaluation signals, or probative test packets, are selectively sent and received through the network. Responsive to these evaluation signals, selective network evaluation parameters are determined and stored. Algebraic, statistical, and queuing theory analysis, responsive to these parameters, determines the response time and throughput characteristics, including capacity, utilization and performance, of the network. Responsive to network evaluation parameters that are determined and stored, a system and method for determining presence of network "hacker attacks" and for lessening the effect of, discouraging, and repelling such attacks by a "challenge-response" is provided.
The system and method of the preferred embodiment of the invention combines a challenge- response login procedure with use of a network probing test frame transmission and analysis procedure. The challenge-response procedure and the network probing test frame transmission procedure can run separate from each other or together for the purpose of DDOS
detection and deterrence and further for improving system performance and system management.
The challenge-response procedure of a preferred embodiment of the invention is provided for detecting and preventing robotic logins to public web servers.
The probative test and analysis procedure of a preferred embodiment of the invention provides for (1) creating template fmgerprints or signature patterns of attack patterns; (2) establishing the historical, current, and predicted future of states of a network for all types of network traffic; (3) determining if a spike in traffic is a distributed denial of service (DDOS) attack; and if so, determining its sources; (4) determining the unique speed and latency network attachment characteristics of devices when they attempt to connect or when it is determined that the connection will not be successful or after connection when a pattern of abusive behavior is observed; and (5) using that pattern to deny service or give lower service to that device when it requests additional service.
The challenge-response and probative methods together or independent of each other enable or assist in enabling detection of devices participating in DOS and DDOS attacks and upon identification of devices participating in attacks, minimize the effect of the attack and/or minimize the ability of the device to continue its attack.
nl I I I, I Ili I kI I
The system and method of the preferred embodiments of the invention complement and strengthen other techniques for defeating DDOS attacks. Other techniques for suppression of DDOS attacks include (1) shoring up "backdoor" access to web-attached servers through which hackers install "trojan-horse" code from which they can commence DDOS attacks;
and (2) implementing filtering technology on router cards so that attacks can be recognized and inhibited at the edge of the network thereby protecting the servers and the network.
Shoring up backdoor access will rely on implementation of new technology and management processes on millions of computers. Any such effort will take years to be fully effective. In the meantime, hackers will be able to commandeer multitudes of web-attached computers from which they can launch DDOS attacks. Such filtering techniques will be developed for detection of attacks based upon non-login, pre-login, or incomplete login flooding, and these filtering mechanisms will be implemented on router cards at low expense, with a predicted high degree of success in limiting this type of DOS and DDOS attack.
In other words, future attack suppression technology is focused on preventing devices not connected to servers from pestering these servers repeatedly and from many sources with administrative requests, error reports, and deliberately incomplete login requests, all of which can deplete resources to the point that the attacked system can no longer function. Future attacks may therefore take the form of creating scripts that complete login connections and then repeatedly ask for service within the legitimate connection in order to bypass the filters in routers programmed to discard excess traffic that is not associated with a validly logged-in connection.
In a preferred embodiment of the invention, the challenge-response method, web servers respond to login contacts with a challenge to which it is trivially simple for a human operator to successfully respond correctly, but to which a programmed machine will have minimal odds of successfully responding. When implemented, any login activity that does not complete successfully can be shunted to a limited resource web server system component that will service all further requests originating from that requestor. The decision process regarding level of service can be provided by the load balancing software typically found in medium and large web i !II if server sites (see Figure 4). Further challenges can be issued with failure to correctly respond resulting in additional reduction or complete denial of service, and successful response resulting in continued service, possibly at an improved or normal level of service.
Similarly, for connections running at a normal level of service, the web server could implement the challenge-response method periodically throughout the connection to identify robot machines that are masquerading as legitimate users and reduce or deny service to such suspected zombie machines.
The challenge-response mechanism works by making it very difficult for a machine without an extremely high degree of artificial intelligence installed to respond meaningfully to simple invitations to input data that a human operating the equipment would have no trouble completing. This will make it nearly impossible for a hacker who can install trojan-horse code on a large number of web-attached devices to make these devices capable of successfully logging in to a particular site and overwhelming that site with requests for service from within a connection.
In accordance with an exemplary embodiment, a challenge-response procedure works as follows. Users connect to a web site by identifying the target web site through an Internet browser, or equivalent. To connect to "XYZ Company," the user (or zombie script) enters "www.xyzco.com" and, in return, receives the initial login screen from the XYZ
Company's web server. Under this challenge-response method, the logon screen contains no computer (language) recognizable text, such as EBCDIC or ASCII encoded characters. Rather all text, or at least that text related to the challenge, is a bit-mapped image of text, easily readable by a human. The text which is readable by humans but not machines, invites the user to continue the connection (logon) by clicking on one of several possible "radio buttons," or by entering text into a designated area or equivalent. There may be only one correct response and correct screen input area for that response, and the input area for the response can be randomly shuffled to further decrease the odds of a correct response by a zombie. The response from the device goes to the web's load balancing system, or other dedicated or shared resource available for evaluating the response, which assigns normal service to responses with the correct selection, and either rejects or connects end devices with incorrect responses to lower priority services, possibly including deliberate service delays. The incorrect response is logged and saved, with a record of the address of the requesting station being stored, as well as the discrete speed, streaming speed, and latency of the connecting device. Additional requests from that device will be recognizable as coming from a possible zombie and can be afforded even slower service or denied service completely.
After a user-defmed number of incorrect responses, the address of an offending system and/or its latency and speed fmgerprint can be added to the router-based filtering system so that packets from the offending device will be rejected and not reach the web server at all. In this manner, the web server can be protected from repetitive requests from non-human driven attacking systems from within connections or when establishing connections.
Figure 3 illustrates an example of the challenge/response method. Figure 3 depicts a bit-encoded login challenge question, requiring the user to read a question and answer it. In this example, the login question is "TO ENTER WEBSITE XYZCO, PLEASE CLICK ON THE
COW'S TAIL". The significance of bit encoding is that the challenge is not composed of machine readable USASCII or EBCDIC text. Rather, it is a picture of the text, which an ordinary machine cannot understand. A human will have no problem responding correctly, whereas a machine will be unable to do so. By bit-encoding the login challenge, zombies will be foiled from gaining access to the web site and launching attacks from within valid connections.
In the future, router filtering will be so efficient and powerful that DDOS
attacks based upon pinging, spurious error messages, incomplete logins, and requests for status by non-logged in devices will be recognized and such traffic discarded before affecting the targeted web site and its servers. It can thus be predicted that DDOS attacks will be attempted from within validly logged in connections. This is because routers will very likely not be programmed to examine and interpret the contents of valid connections.sessions because of the difficulty and overhead involved, as well as for reasons of privacy and security. An example of an attack from within a validly logged-in session would take the form of enrolling armies of devices to connect to a server and periodically request a service, such as going to the Ford web site and pricing a red Crown Victoria, then a blue, diesel F-150, then a green 2 door Focus, etc.
Such zombies would appear as normal users, and could consume huge amounts of resource. A non-zombie version of such an attack is possible, but it would require hundreds of humans coordinating their actions over a long period of time to accomplish this.
The method for discovering and diagnosing DDOS attacks by recognizing abnormal increases in utilization works as follows. Pending patent application Silverman 1 describes a system and method for transmitting probative packets across a network and analyzing their transit times to determine the capacity of the network to handle streaming, discrete, and burst traffic, and their utilizations for these types of traffic. Zombie machines run scripts over and over, such scripts consisting of a variety of requests for service designed to flood a targeted web server and consume the web server's and/or its network's resources to the point that service to legitimate users is severely degraded or entirely prevented. As such, the zombie will have a rhythm or pattern of transmissions of discrete, burst, and stream packets that can serve as a fingerprint. There are known web sites from which hackers can download DDOS
methods, such as:
http://www.technotronic.com/denial.html and http://www.rootshell.com, and there are known tools for combining individual attack methods into scripts, and known tools (such as "trinoo" and "tribe") for combining groups of compromised systems into what CERT
refers to as "distributed denial of service clusters."
It is thus possible to download known attack methods, scripts, and tools and run them on systems in a test network, record their rhythmic patterns, and extrapolate the effect that any number of such systems would have on a network, for networks, while bursty in nature, have characteristic utilization patterns (for example, peaks of utilization at 10 AM and 1 PM are common in commercial networks). The mathematics for the overlaying of a new traffic load introduced by n zombie attacking devices on an existing network is:
[((n * new load bits per second)+ existing load bits per second) / network capacity bits per second] = new utilization Silverman 1 and 2 describe end to end network testing, and in their implementation in any end to end test a Tracroute command may be issued with which to locate all routers along that end to end path. The path from the test station (which can be installed in or co-located with any web server or router in the path) to any device or router in the path can thus be tested.
These advances make possible detection of hacker DDOS attacks regardless of whether or not the attacking devices are logged in to a site's servers, and also to pinpoint the location of the attacking devices, especially when teamed with fmgerprinting of individual devices by means of their speed and latency characteristics.
By using the techniques in Silverman 1 and 2, both the pattenrn of current utilization and the projected effect of zombies on that segment of the network are tested.
Each router along the path is thus be identified, and utilization spikes are identified and, by examining segments along a path, utilization increases are tracked to an origin point and thus attacks and individual zombies are identified without the extensive overhead, skill, and time-consumption required for reading traces and without needing to locate areas of low utilization. Moreover, the testing is performed from the web server site or from the ISP's network. This provides the additional advantage of allowing the manager of the web site to identify attacks and test for the locations of attackers without needing the cooperation of the ISP.
When attacking systems that have logged in are recognized, TCP window tuning may be used to slow down the connection. Silverman I and 2 formulas are used:
Am = average message size bytes (determined from testing common attack methods or from analysis of this attack instance) D network discrete speed (calculated from (long - short sample bits) * 2 /
(best long - best short time) L= network latency for this connection (calculated from best short round trip -service time for short sample) Ts = service time for average attack message = Am * 8/ network RTT = round trip service time for average attack message and protocol acknowledgment, _ [((Am * 8) + 40 ) / network discrete speed] + L
S network streaming speed (calculated from virtual best burst sample arrival bits divided by arrival time) Wb = optimum window bytes = RTT / S/ 8 Wm = optimum window messages = Am / (RTT / S / 8).
To provide degraded service by window manipulation, the connection window size (expressed as Wb or Wm) is reduced to whatever fraction of the optimum is desired.
Additional methods for slowing the connection from attackers are:
- instituting a delay parameter that slows acceptance of input from, or transmission of responses to attacking system (or any system in the "degraded service"
category) ~~= I I: ~I I 61 i - counterattacking by using denial of service methods on attacking systems (probably more suited to military, police, and counterinsurgency environments than business environments).
By way of example, the following mathematical calculation of utilization spike recognizes an attack and provides for decomposing the unitary end-to-end utilization measure into utilization by hop in a network. This routine answers the question, what is effect of change in utilization on response time?
1. User puts in a positive or negative percent change in discrete utilization (e.g. +10% or -8%), and an average round trip message size in number of characters.
2. Current discrete utilization % + change in discrete utilization %= U (where U is the new utilization %).
3. U/(1 - U) = new queue factor. (Use multi server factor, if applicable).
4. New queue factor * average message size * 8 / discrete bandwidth = new queue delay.
5 New queue delay - old queue delay = change in response time.
6. Add new queue delay to service time plus latency to get the new average response time.
This estimation result is then used in the following way. The load imposed on the system by n zombies executing a known attack, such as a trinoo attack script, is estimated by testing for various values of n. From the network perspective, this load is expressed as a number of bits per second. For each link connection from the web site to the Internet, there is obtained an expected utilization, a fixed speed, and an estimated number of bytes on queue. (Bytes on queue is average wait time * discrete speed / 8.) From utilization (denoted here as U), number of messages on queue is calculated by U / (1-U). Dividing queue depth in bytes by number of messages on queue the average message size is derived. Average service time for a message =
average message size / conversational speed. Arrival rate = U / service time for average message. Arrival rate * average message size = bits per second in network system.
Applying the derivation of bits per second in network from utilization to the trinoo script for n users and for the expected network load allows summing the two to estimate the total bits per second on the Internet connection when attacked by n zombies. Thus is estimated the projected effect of zombie attacks under particular known attack scripts.
Referring to Figure 4, devices Z 1-Z3 identified as being zombies and/or suspected of being zombies are shunted to the organization's (or ASP's) purgatory net 60, which provides low quality service through provider 62. This keeps the zombie Z1-Z3 occupied and, much the way police try to keep someone demanding ransom on the phone for as long as possible, the purgatory connection maintains contact with the suspect so that additional diagnosis can be performed and so that the zombie focuses on doing its mischief in a place where it does no harm.
Normal devices get first class service from the organization's (or ASP's) regular servers 66-67.
A device merits a purgatory connection if it fails the bit-encoded login test or if it is performing suspicious operations characteristic of those involved in DOS attacks.
Advantages over the Prior Art The advantages of the system and method of the preferred embodiment of this invention include providing an improved system and method for detection and prevention of DOS (Denial of Service) and DDOS (Distributed Denial of Service) attacks.
The preferred embodiment provides a means for web site owners to locate areas of lower and higher utilizations within ISP networks, so that faster detection of DDOS
attacks is possible and faster location by the ISP of specific attacking devices is possible.
~ I I ~ I I 41 It is a further advantage of the preferred embodiment that utilization patterns of known attack scripts can be identified and numbers of attackers can thus be estimated for each Internet interface, thus providing a new means for detection of attacks and estimation of the magnitude of the attack on each interface.
It is a further advantage of the preferred embodiment that detection of individual attacking machines is made possible by causing login invitations to be sent in bit-mapped form as opposed to text, thereby defeating zombie machines from being able to login to the webserver site, thereby preventing attacks from within connected sessions.
It is a further advantage that machines identified as attackers can be further profiled by the streaming speed, discrete speed, and latency of their network connection, even if they try to masquerade by repeatedly changing their network address.
It is a fixrther advantage that having identified attacking devices, a lowered level of service can be offered, service can be denied, or counterattacking measures can be implemented against the attackers.
Alternative Embodiments It will be appreciated that, although specific embodiments of the invention have been described herein for purposes of illustration, various modifications may be made without departing from the spirit and scope of the invention. In particular, it is within the scope of the invention to provide a computer program product or program element, or a program storage or memory device such as a solid or fluid transmission medium, magnetic or optical wire, tape or disc, or the like, for storing signals readable by a machine, for controlling the operation of a computer according to the method of the invention and/or to structure its components in accordance with the system of the invention.
~ i I 6'i I;I I II ~
Further, each step of the method may be executed on any general computer, such as IBM
Systems designated as zSeries, iSeries, xSeries, and pSeries, or the like and pursuant to one or more, or a part of one or more, program elements, modules or objects generated from any programming language, such as C++, Java, Pl/1, Fortran or the like. And still further, each said step, or a file or object or the like implementing each said step, may be executed by special purpose hardware or a circuit module designed for that purpose.
Accordingly, the scope of protection of this invention is limited only by the following claims and their equivalents.
i0
Claims (25)
1. A method for detecting denial of service attacks, comprising:
issuing a bit-encoded login challenge comprising human viewable images not composed of machine readable text in response to a login request from a requester of services; and responsive to an incorrect response to said challenge, placing said requester in a state of limited service.
issuing a bit-encoded login challenge comprising human viewable images not composed of machine readable text in response to a login request from a requester of services; and responsive to an incorrect response to said challenge, placing said requester in a state of limited service.
2. The method of claim 1, further comprising:
filtering out to said state of limited service iterative connection requests from a network address of a hacker device.
filtering out to said state of limited service iterative connection requests from a network address of a hacker device.
3. The method of claim 1, further comprising:
responsive to speed, latency and average queuing network delay of connection requests, detecting and placing in a state of limited service repetitive login requests from a hacker device.
responsive to speed, latency and average queuing network delay of connection requests, detecting and placing in a state of limited service repetitive login requests from a hacker device.
4. The method of claim 3, further comprising:
determining from said speed, latency and average queuing network delay a time-out value; and detecting as a request from the hacker device a request that does not complete within said time-out value.
determining from said speed, latency and average queuing network delay a time-out value; and detecting as a request from the hacker device a request that does not complete within said time-out value.
5. The method of claim 1, further comprising:
issuing further challenges to subsequent requests for service from said requester and selectively responding to successful responses by continuing service at the same or improved level and to unsuccessful responses by further reduction or complete denial of service.
issuing further challenges to subsequent requests for service from said requester and selectively responding to successful responses by continuing service at the same or improved level and to unsuccessful responses by further reduction or complete denial of service.
6. The method of claim 1, further comprising:
periodically issuing said challenges throughout connection to a requester successfully responding.
periodically issuing said challenges throughout connection to a requester successfully responding.
7. The method of claim 1, comprising issuing said bit-encoded challenge as logon image from which a user must select or enter a response.
8. The method of claim 7, further comprising occasionally shifting the input area for a valid response to said challenge.
9. The method of claim 1, further comprising slowing acceptance from and response to systems in a degraded service category.
10. The method of claim 1, further comprising counterattacking by executing a denial of service response to attacking systems.
11. A method for detecting denial of service attacks, comprising:
executing a bit-encoded challenge and response login procedure and a network probing test frame transmission and analysis procedure to detect a hacker denial of service attack;
said bit-encoded challenge comprising human viewable images not composed of machine readable text;
said network probing test frame transmission and analysis procedure including defining a signature of discrete speed, streaming speed, and latency of the connecting device failing said bit-encoded challenge-response login procedure, and adding said signature to a router based filter for filtering out login requests from said hacker responsive to said signature; and responsive to detecting said denial of service attack, placing said hacker in a lower level of service state.
executing a bit-encoded challenge and response login procedure and a network probing test frame transmission and analysis procedure to detect a hacker denial of service attack;
said bit-encoded challenge comprising human viewable images not composed of machine readable text;
said network probing test frame transmission and analysis procedure including defining a signature of discrete speed, streaming speed, and latency of the connecting device failing said bit-encoded challenge-response login procedure, and adding said signature to a router based filter for filtering out login requests from said hacker responsive to said signature; and responsive to detecting said denial of service attack, placing said hacker in a lower level of service state.
12. A method for detecting denial of service attacks, comprising the steps of:
selecting sending and receiving probative test packets through a network;
responsive to said packets, determining network evaluation parameters for said network;
responsive to said network evaluation parameters, determining presence of network denial of service attacks, said network evaluation parameters including response time and throughput characteristics including capacity, utilization, and performance;
and executing a challenge and response procedure to discourage and repel said attacks, said challenge comprising human viewable images not composed of machine readable text
selecting sending and receiving probative test packets through a network;
responsive to said packets, determining network evaluation parameters for said network;
responsive to said network evaluation parameters, determining presence of network denial of service attacks, said network evaluation parameters including response time and throughput characteristics including capacity, utilization, and performance;
and executing a challenge and response procedure to discourage and repel said attacks, said challenge comprising human viewable images not composed of machine readable text
13. The method of claim 12, further comprising:
determining a latency and speed fingerprint of an offending device;
responsive to said fingerprint, operating a router filtering system to reject packets from said offending device.
determining a latency and speed fingerprint of an offending device;
responsive to said fingerprint, operating a router filtering system to reject packets from said offending device.
14. The method of claim 13, said fingerprint comprising a rhythm of transmissions of discrete, burst, and stream packets.
15. A system for detecting and responding to denial of service attacks, comprising:
a test station for identifying a zombie source of said denial of service attack by executing a challenge comprising human viewable images not composed of machine readable text;
a low quality server for serving said zombie source; and a high quality server for serving legitimate sources of request for services.
a test station for identifying a zombie source of said denial of service attack by executing a challenge comprising human viewable images not composed of machine readable text;
a low quality server for serving said zombie source; and a high quality server for serving legitimate sources of request for services.
16. The system of claim 15, further comprising:
a load balance server for directing said zombie source to said low quality server.
a load balance server for directing said zombie source to said low quality server.
17. The system of claim 16, said zombie source being an a server addressable on an Internet containing trojan-horse code.
18. The system of claim 15, said test station performing testing by use of ICMP pings to identify said zombie source.
19. The system of claim 18, said test station further for determining patterns of traffic generated by well-known attack scripts for subsequent use in identifying said zombie source.
20. The system of claim 18, said test station further for determining a timeout value for completion of a login request for freeing control blocks responsive to a login request which does not complete within said timeout value.
21. A probative test and analysis method for detecting and responding to denial of service attacks on a network resource, comprising:
creating a template of attack patterns;
determining historical, current, and predicted states of said network for each of a plurality of types of network traffic;
responsive to said attack patterns, determining if a spike in network traffic is a distributed denial of service attack by executing a challenge comprising human viewable images not composed of machine readable text and, if so, determining its source; and denying full service to sources associated with said service attack.
creating a template of attack patterns;
determining historical, current, and predicted states of said network for each of a plurality of types of network traffic;
responsive to said attack patterns, determining if a spike in network traffic is a distributed denial of service attack by executing a challenge comprising human viewable images not composed of machine readable text and, if so, determining its source; and denying full service to sources associated with said service attack.
22. The method of claim 21, further comprising:
determining unique speed and latency network attachment characteristics of devices attempting to connect to said network resource; and responsive to detection of an abusive behavior from a device of said devices, responding to subsequent requests for service from said device by denying said full service to said device.
determining unique speed and latency network attachment characteristics of devices attempting to connect to said network resource; and responsive to detection of an abusive behavior from a device of said devices, responding to subsequent requests for service from said device by denying said full service to said device.
23. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for detecting denial of service attacks, said method steps comprising:
issuing a bit encoded login challenge comprising human viewable images not composed of machine readable text in response to a login request from a requester of services; and responsive to an incorrect response to said challenge, placing said requester in a state of limited service.
issuing a bit encoded login challenge comprising human viewable images not composed of machine readable text in response to a login request from a requester of services; and responsive to an incorrect response to said challenge, placing said requester in a state of limited service.
24. A computer program product or computer program element for detecting denial of service attacks, comprising:
issuing a bit encoded login challenge comprising human viewable images not composed of machine readable text in response to a login request from a requester of services; and responsive to an incorrect response to said challenge, placing said requester in a state of limited service.
issuing a bit encoded login challenge comprising human viewable images not composed of machine readable text in response to a login request from a requester of services; and responsive to an incorrect response to said challenge, placing said requester in a state of limited service.
25. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for detecting denial of service attacks, said method steps comprising:
executing a network probing test frame transmission comprising human viewable images not composed of machine readable text and analysis procedure to detect a hacker denial of service attack; and responsive to detecting a denial of service attack, placing said hacker in a state of lower level of service.
executing a network probing test frame transmission comprising human viewable images not composed of machine readable text and analysis procedure to detect a hacker denial of service attack; and responsive to detecting a denial of service attack, placing said hacker in a state of lower level of service.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US09/945,172 US7107619B2 (en) | 2001-08-31 | 2001-08-31 | System and method for the detection of and reaction to denial of service attacks |
| US10/147,769 US6804624B2 (en) | 2001-08-31 | 2002-05-16 | System and method for determining the location of remote devices |
| CA002390850A CA2390850C (en) | 2001-08-31 | 2002-06-18 | System and method for the detection of and reaction to denial of service attacks |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US09/945,172 US7107619B2 (en) | 2001-08-31 | 2001-08-31 | System and method for the detection of and reaction to denial of service attacks |
| US09/945,172 | 2001-08-31 | ||
| CA002390850A CA2390850C (en) | 2001-08-31 | 2002-06-18 | System and method for the detection of and reaction to denial of service attacks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2390850A1 CA2390850A1 (en) | 2003-12-18 |
| CA2390850C true CA2390850C (en) | 2007-08-21 |
Family
ID=32991636
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002390850A Expired - Fee Related CA2390850C (en) | 2001-08-31 | 2002-06-18 | System and method for the detection of and reaction to denial of service attacks |
Country Status (2)
| Country | Link |
|---|---|
| US (2) | US7107619B2 (en) |
| CA (1) | CA2390850C (en) |
Families Citing this family (142)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7278159B2 (en) * | 2000-09-07 | 2007-10-02 | Mazu Networks, Inc. | Coordinated thwarting of denial of service attacks |
| US7043759B2 (en) | 2000-09-07 | 2006-05-09 | Mazu Networks, Inc. | Architecture to thwart denial of service attacks |
| US7801978B1 (en) | 2000-10-18 | 2010-09-21 | Citrix Systems, Inc. | Apparatus, method and computer program product for efficiently pooling connections between clients and servers |
| US7296088B1 (en) * | 2000-11-17 | 2007-11-13 | Microsoft Corporation | System and method for determining the geographic location of internet hosts |
| US7774492B2 (en) * | 2001-07-26 | 2010-08-10 | Citrix Systems, Inc. | System, method and computer program product to maximize server throughput while avoiding server overload by controlling the rate of establishing server-side net work connections |
| US7213264B2 (en) * | 2002-01-31 | 2007-05-01 | Mazu Networks, Inc. | Architecture to thwart denial of service attacks |
| KR20040094437A (en) * | 2002-03-12 | 2004-11-09 | 코닌클리케 필립스 일렉트로닉스 엔.브이. | Using timing signals to determine proximity between two nodes |
| WO2004006115A1 (en) * | 2002-07-02 | 2004-01-15 | Netscaler, Inc | System, method and computer program product to avoid server overload by controlling http denial of service (dos) attacks |
| US8370420B1 (en) | 2002-07-11 | 2013-02-05 | Citrix Systems, Inc. | Web-integrated display of locally stored content objects |
| JP4503934B2 (en) * | 2002-09-26 | 2010-07-14 | 株式会社東芝 | Server computer protection device, server computer protection method, server computer protection program, and server computer |
| US8407798B1 (en) | 2002-10-01 | 2013-03-26 | Skybox Secutiry Inc. | Method for simulation aided security event management |
| US8359650B2 (en) * | 2002-10-01 | 2013-01-22 | Skybox Secutiry Inc. | System, method and computer readable medium for evaluating potential attacks of worms |
| US8191136B2 (en) * | 2002-11-04 | 2012-05-29 | Riverbed Technology, Inc. | Connection based denial of service detection |
| US8479057B2 (en) * | 2002-11-04 | 2013-07-02 | Riverbed Technology, Inc. | Aggregator for connection based anomaly detection |
| US8504879B2 (en) * | 2002-11-04 | 2013-08-06 | Riverbed Technology, Inc. | Connection based anomaly detection |
| US7363656B2 (en) * | 2002-11-04 | 2008-04-22 | Mazu Networks, Inc. | Event detection/anomaly correlation heuristics |
| US20050033989A1 (en) * | 2002-11-04 | 2005-02-10 | Poletto Massimiliano Antonio | Detection of scanning attacks |
| US20040167981A1 (en) * | 2003-02-25 | 2004-08-26 | Douglas Christopher Paul | Method and system for monitoring relationships between content devices in a content delivery network |
| JP3649404B2 (en) * | 2003-02-28 | 2005-05-18 | ソニー株式会社 | Ranging and positioning system, ranging and positioning method, and wireless communication apparatus |
| US7634569B2 (en) * | 2003-04-23 | 2009-12-15 | Microsoft Corporation | Match making based on proximity measures between devices |
| US20050002380A1 (en) * | 2003-05-09 | 2005-01-06 | Miller Robert S. | Automated IT asset location system |
| US9412123B2 (en) | 2003-07-01 | 2016-08-09 | The 41St Parameter, Inc. | Keystroke analysis |
| US7386719B2 (en) * | 2003-07-29 | 2008-06-10 | International Business Machines Corporation | System and method for eliminating viruses at a web page server |
| US20050028010A1 (en) * | 2003-07-29 | 2005-02-03 | International Business Machines Corporation | System and method for addressing denial of service virus attacks |
| US7191248B2 (en) * | 2003-08-29 | 2007-03-13 | Microsoft Corporation | Communication stack for network communication and routing |
| US7934020B1 (en) * | 2003-09-19 | 2011-04-26 | Vmware, Inc. | Managing network data transfers in a virtual computer system |
| US7433450B2 (en) * | 2003-09-26 | 2008-10-07 | Ixia | Method and system for connection verification |
| US20060206432A1 (en) * | 2003-11-26 | 2006-09-14 | Russell John C P | Digital rights management using network topology testing |
| US20050234735A1 (en) * | 2003-11-26 | 2005-10-20 | Williams Jim C | Digital rights management using proximity testing |
| US7774834B1 (en) | 2004-02-18 | 2010-08-10 | Citrix Systems, Inc. | Rule generalization for web application entry point modeling |
| US7890996B1 (en) | 2004-02-18 | 2011-02-15 | Teros, Inc. | Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways |
| US7752662B2 (en) * | 2004-02-20 | 2010-07-06 | Imperva, Inc. | Method and apparatus for high-speed detection and blocking of zero day worm attacks |
| US10999298B2 (en) | 2004-03-02 | 2021-05-04 | The 41St Parameter, Inc. | Method and system for identifying users and detecting fraud by use of the internet |
| US20050256968A1 (en) * | 2004-05-12 | 2005-11-17 | Johnson Teddy C | Delaying browser requests |
| AU2005273532B2 (en) * | 2004-06-28 | 2011-04-07 | Acano (Uk) Limited | System for proximity determination |
| US7929534B2 (en) * | 2004-06-28 | 2011-04-19 | Riverbed Technology, Inc. | Flow logging for connection-based anomaly detection |
| CN100370757C (en) * | 2004-07-09 | 2008-02-20 | 国际商业机器公司 | Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack |
| US20060037077A1 (en) * | 2004-08-16 | 2006-02-16 | Cisco Technology, Inc. | Network intrusion detection system having application inspection and anomaly detection characteristics |
| CA2577887A1 (en) * | 2004-08-19 | 2006-02-23 | Cingular Wireless Ii, Llc | Testing for mobile device locator systems, such as for e911 |
| US8423645B2 (en) * | 2004-09-14 | 2013-04-16 | International Business Machines Corporation | Detection of grid participation in a DDoS attack |
| US7760653B2 (en) * | 2004-10-26 | 2010-07-20 | Riverbed Technology, Inc. | Stackable aggregation for connection based anomaly detection |
| EP1820147A4 (en) * | 2004-11-03 | 2009-09-23 | Motion Picture Ass Of America | Digital rights management using network topology testing |
| US20060161989A1 (en) * | 2004-12-13 | 2006-07-20 | Eran Reshef | System and method for deterring rogue users from attacking protected legitimate users |
| US7756933B2 (en) * | 2004-12-13 | 2010-07-13 | Collactive Ltd. | System and method for deterring rogue users from attacking protected legitimate users |
| US20060130140A1 (en) * | 2004-12-14 | 2006-06-15 | International Business Machines Corporation | System and method for protecting a server against denial of service attacks |
| US8266320B1 (en) * | 2005-01-27 | 2012-09-11 | Science Applications International Corporation | Computer network defense |
| US9325728B1 (en) | 2005-01-27 | 2016-04-26 | Leidos, Inc. | Systems and methods for implementing and scoring computer network defense exercises |
| US8161555B2 (en) | 2005-06-28 | 2012-04-17 | At&T Intellectual Property Ii, L.P. | Progressive wiretap |
| US7987493B1 (en) * | 2005-07-18 | 2011-07-26 | Sprint Communications Company L.P. | Method and system for mitigating distributed denial of service attacks using centralized management |
| EP1760563B1 (en) * | 2005-08-31 | 2009-10-14 | Omron Corporation | Communication system with master, slave and repeater units |
| US9148907B2 (en) * | 2005-09-07 | 2015-09-29 | The Invention Science Fund I, Llc | Heading-dependent routing |
| US8046357B2 (en) * | 2005-11-07 | 2011-10-25 | Iac Search & Media, Inc. | Sampling internet user traffic to improve search results |
| US20070118531A1 (en) * | 2005-11-18 | 2007-05-24 | Honeywell International, Inc. | Issues database system and method |
| GB0523995D0 (en) * | 2005-11-25 | 2006-01-04 | Ibm | Method,system and computer program product for access control |
| US8938671B2 (en) | 2005-12-16 | 2015-01-20 | The 41St Parameter, Inc. | Methods and apparatus for securely displaying digital images |
| US11301585B2 (en) | 2005-12-16 | 2022-04-12 | The 41St Parameter, Inc. | Methods and apparatus for securely displaying digital images |
| KR100828372B1 (en) | 2005-12-29 | 2008-05-08 | 삼성전자주식회사 | Method and apparatus for protecting servers from DOS attack |
| US7954152B2 (en) * | 2005-12-30 | 2011-05-31 | Microsoft Corporation | Session management by analysis of requests and responses |
| KR101203469B1 (en) * | 2006-02-11 | 2012-11-21 | 삼성전자주식회사 | Method to accurately and securely measure propagation delay and distance between sending and receiving node in packet network using cut-through approach and packet network node for executing the method |
| US8024804B2 (en) * | 2006-03-08 | 2011-09-20 | Imperva, Inc. | Correlation engine for detecting network attacks and detection method |
| US8446835B2 (en) * | 2006-03-28 | 2013-05-21 | Telefonaktiebolaget L M Ericsson (Publ) | Method and termination node for bundling multiple messages into a packet |
| US8151327B2 (en) | 2006-03-31 | 2012-04-03 | The 41St Parameter, Inc. | Systems and methods for detection of session tampering and fraud prevention |
| US8849760B2 (en) * | 2006-05-02 | 2014-09-30 | International Business Machines Corporation | Determining whether predefined data controlled by a server is replicated to a client machine |
| US8490190B1 (en) * | 2006-06-30 | 2013-07-16 | Symantec Corporation | Use of interactive messaging channels to verify endpoints |
| US8428098B2 (en) * | 2006-07-06 | 2013-04-23 | Qualcomm Incorporated | Geo-locating end-user devices on a communication network |
| US8340682B2 (en) * | 2006-07-06 | 2012-12-25 | Qualcomm Incorporated | Method for disseminating geolocation information for network infrastructure devices |
| US7929535B2 (en) * | 2006-07-07 | 2011-04-19 | Qualcomm Incorporated | Geolocation-based addressing method for IPv6 addresses |
| US8255489B2 (en) * | 2006-08-18 | 2012-08-28 | Akamai Technologies, Inc. | Method of data collection among participating content providers in a distributed network |
| US8484283B2 (en) * | 2006-08-18 | 2013-07-09 | Akamai Technologies, Inc. | Method and system for mitigating automated agents operating across a distributed network |
| US20080104272A1 (en) * | 2006-10-31 | 2008-05-01 | Morris Robert P | Method and system for routing a message over a home network |
| US8717932B2 (en) * | 2006-11-29 | 2014-05-06 | Broadcom Corporation | Method and system for determining and securing proximity information over a network |
| US8421675B2 (en) | 2006-12-07 | 2013-04-16 | Digimarc Corporation | Systems and methods for locating a mobile device within a cellular system |
| US9791545B2 (en) * | 2006-12-07 | 2017-10-17 | Digimarc Corporation | Space-time calibration system and method |
| US20080147827A1 (en) * | 2006-12-14 | 2008-06-19 | Morris Robert P | Method And System For Synchronizing Operating Modes Of Networked Appliances |
| US20080147880A1 (en) * | 2006-12-14 | 2008-06-19 | Morris Robert P | Methods And Systems For Routing A Message Over A Network |
| US9021590B2 (en) * | 2007-02-28 | 2015-04-28 | Microsoft Technology Licensing, Llc | Spyware detection mechanism |
| US8320249B2 (en) * | 2007-03-07 | 2012-11-27 | Broadcom Corporation | Method and system for controlling network access on a per-flow basis |
| US8205255B2 (en) * | 2007-05-14 | 2012-06-19 | Cisco Technology, Inc. | Anti-content spoofing (ACS) |
| US7937586B2 (en) * | 2007-06-29 | 2011-05-03 | Microsoft Corporation | Defending against denial of service attacks |
| GB2452699B (en) * | 2007-08-24 | 2012-08-01 | King S College London | Mobility and quality of service |
| US20090165116A1 (en) * | 2007-12-20 | 2009-06-25 | Morris Robert P | Methods And Systems For Providing A Trust Indicator Associated With Geospatial Information From A Network Entity |
| US8325616B2 (en) * | 2008-01-17 | 2012-12-04 | Broadcom Corporation | Method and system for determination and exchange of network timing information |
| US20090252161A1 (en) * | 2008-04-03 | 2009-10-08 | Morris Robert P | Method And Systems For Routing A Data Packet Based On Geospatial Information |
| CN101282340B (en) * | 2008-05-09 | 2010-09-22 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for processing network attack |
| US7516220B1 (en) | 2008-05-15 | 2009-04-07 | International Business Machines Corporation | Method and system for detecting and deterring robot access of web-based interfaces by using minimum expected human response time |
| CN101588246B (en) * | 2008-05-23 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Method, network equipment and network system for defending distributed denial service DDoS attack |
| US8413250B1 (en) * | 2008-06-05 | 2013-04-02 | A9.Com, Inc. | Systems and methods of classifying sessions |
| US20100010975A1 (en) * | 2008-07-10 | 2010-01-14 | Morris Robert P | Methods And Systems For Resolving A Query Region To A Network Identifier |
| US20100011048A1 (en) * | 2008-07-10 | 2010-01-14 | Morris Robert P | Methods And Systems For Resolving A Geospatial Query Region To A Network Identifier |
| US20100010992A1 (en) * | 2008-07-10 | 2010-01-14 | Morris Robert P | Methods And Systems For Resolving A Location Information To A Network Identifier |
| US20100015995A1 (en) * | 2008-07-17 | 2010-01-21 | Rami Caspi | System and method for automated location information in a unified communication system |
| US8504504B2 (en) * | 2008-09-26 | 2013-08-06 | Oracle America, Inc. | System and method for distributed denial of service identification and prevention |
| US20100124220A1 (en) * | 2008-11-18 | 2010-05-20 | Morris Robert P | Method And Systems For Incrementally Resolving A Host Name To A Network Address |
| GB2466225B (en) * | 2008-12-15 | 2013-10-02 | King S College London | Inter-access network handover |
| GB2466226B (en) | 2008-12-15 | 2012-11-14 | King S College London | Improvements in or relating to network mobility |
| US8375435B2 (en) * | 2008-12-19 | 2013-02-12 | International Business Machines Corporation | Host trust report based filtering mechanism in a reverse firewall |
| US8779981B2 (en) * | 2009-02-27 | 2014-07-15 | The 41St Parameter, Inc. | 2D web trilateration |
| US7933272B2 (en) * | 2009-03-11 | 2011-04-26 | Deep River Systems, Llc | Methods and systems for resolving a first node identifier in a first identifier domain space to a second node identifier in a second identifier domain space |
| CN101848197B (en) * | 2009-03-23 | 2015-01-21 | 华为技术有限公司 | Detection method and device and network with detection function |
| US9112850B1 (en) | 2009-03-25 | 2015-08-18 | The 41St Parameter, Inc. | Systems and methods of sharing information through a tag-based consortium |
| US20100250777A1 (en) * | 2009-03-30 | 2010-09-30 | Morris Robert P | Methods, Systems, And Computer Program Products For Resolving A First Source Node Identifier To A Second Source Node Identifier |
| US9871811B2 (en) * | 2009-05-26 | 2018-01-16 | Microsoft Technology Licensing, Llc | Identifying security properties of systems from application crash traffic |
| US8903653B2 (en) * | 2009-06-23 | 2014-12-02 | Uniloc Luxembourg S.A. | System and method for locating network nodes |
| US10587683B1 (en) * | 2012-11-05 | 2020-03-10 | Early Warning Services, Llc | Proximity in privacy and security enhanced internet geolocation |
| US8438270B2 (en) | 2010-01-26 | 2013-05-07 | Tenable Network Security, Inc. | System and method for correlating network identities and addresses |
| US8302198B2 (en) | 2010-01-28 | 2012-10-30 | Tenable Network Security, Inc. | System and method for enabling remote registry service security audits |
| US8707440B2 (en) * | 2010-03-22 | 2014-04-22 | Tenable Network Security, Inc. | System and method for passively identifying encrypted and interactive network sessions |
| WO2011128464A1 (en) * | 2010-04-16 | 2011-10-20 | Universitat Politècnica De Catalunya | Process and system for calculating distances between wireless nodes |
| CN103004102B (en) * | 2010-05-13 | 2015-12-09 | 西北大学 | Geo-positioning system and method |
| US8707339B2 (en) * | 2010-07-30 | 2014-04-22 | CSC Holdings, LLC | System and method for detecting hacked modems |
| US8576847B2 (en) * | 2010-08-26 | 2013-11-05 | International Business Machines Corporation | Mechanisms for discovering path maximum transmission unit |
| WO2012054646A2 (en) | 2010-10-19 | 2012-04-26 | The 41St Parameter, Inc. | Variable risk engine |
| KR20120057066A (en) * | 2010-11-26 | 2012-06-05 | 한국전자통신연구원 | Method and system for providing network security operation system, security event processing apparatus and visual processing apparatus for network security operation |
| US20130031625A1 (en) * | 2011-07-29 | 2013-01-31 | Electronics And Telecommunications Research Institute | Cyber threat prior prediction apparatus and method |
| US10637820B2 (en) | 2011-10-21 | 2020-04-28 | Uniloc 2017 Llc | Local area social networking |
| WO2013062827A1 (en) | 2011-10-24 | 2013-05-02 | Northwestern University | System and method for accumulative double sided incremental forming |
| US9221091B2 (en) | 2011-11-04 | 2015-12-29 | Northwestern University | System and method for incremental forming |
| US10754913B2 (en) | 2011-11-15 | 2020-08-25 | Tapad, Inc. | System and method for analyzing user device information |
| US9367707B2 (en) | 2012-02-23 | 2016-06-14 | Tenable Network Security, Inc. | System and method for using file hashes to track data leakage and document propagation in a network |
| US9633201B1 (en) | 2012-03-01 | 2017-04-25 | The 41St Parameter, Inc. | Methods and systems for fraud containment |
| US9521551B2 (en) | 2012-03-22 | 2016-12-13 | The 41St Parameter, Inc. | Methods and systems for persistent cross-application mobile device identification |
| US20130318609A1 (en) * | 2012-05-25 | 2013-11-28 | Electronics And Telecommunications Research Institute | Method and apparatus for quantifying threat situations to recognize network threat in advance |
| US20150189482A1 (en) * | 2012-06-12 | 2015-07-02 | And Works Co., Ltd. | Device for providing related information for monile communication terminal and system for sharing related information |
| WO2014022813A1 (en) | 2012-08-02 | 2014-02-06 | The 41St Parameter, Inc. | Systems and methods for accessing records via derivative locators |
| WO2014078569A1 (en) | 2012-11-14 | 2014-05-22 | The 41St Parameter, Inc. | Systems and methods of global identification |
| AU2013100243B4 (en) | 2012-12-28 | 2013-09-26 | Uniloc Usa, Inc. | Pedestrian traffic monitoring and analysis |
| US8973143B2 (en) | 2013-01-28 | 2015-03-03 | The Barrier Group, Llc | Method and system for defeating denial of service attacks |
| US20140248908A1 (en) | 2013-03-01 | 2014-09-04 | Uniloc Luxembourg S.A. | Pedestrian traffic monitoring and analysis |
| AU2013100804B4 (en) | 2013-03-07 | 2014-02-20 | Uniloc Luxembourg S.A. | Predictive delivery of information based on device history |
| US10902327B1 (en) | 2013-08-30 | 2021-01-26 | The 41St Parameter, Inc. | System and method for device identification and uniqueness |
| US10764323B1 (en) * | 2015-12-21 | 2020-09-01 | Amdocs Development Limited | System, method, and computer program for isolating services of a communication network in response to a distributed denial of service (DDoS) attack |
| US9680798B2 (en) | 2014-04-11 | 2017-06-13 | Nant Holdings Ip, Llc | Fabric-based anonymity management, systems and methods |
| US10091312B1 (en) | 2014-10-14 | 2018-10-02 | The 41St Parameter, Inc. | Data structures for intelligently resolving deterministic and probabilistic device identifiers to device profiles and/or groups |
| CN104537105B (en) * | 2015-01-14 | 2017-09-26 | 中国人民解放军信息工程大学 | A kind of network entity terrestrial reference automatic mining method based on Web maps |
| US10015162B2 (en) * | 2015-05-11 | 2018-07-03 | Huawei Technologies Co., Ltd. | Firewall authentication of controller-generated internet control message protocol (ICMP) echo requests |
| US10264001B2 (en) * | 2015-08-12 | 2019-04-16 | Wizard Tower TechnoServices Ltd. | Method and system for network resource attack detection using a client identifier |
| US10432650B2 (en) | 2016-03-31 | 2019-10-01 | Stuart Staniford | System and method to protect a webserver against application exploits and attacks |
| CN110198517B (en) * | 2018-05-10 | 2021-07-20 | 腾讯科技(深圳)有限公司 | Port scanning method and system based on self-learning path selection |
| US11100457B2 (en) * | 2018-05-17 | 2021-08-24 | Here Global B.V. | Venue map based security infrastructure management |
| US11164206B2 (en) * | 2018-11-16 | 2021-11-02 | Comenity Llc | Automatically aggregating, evaluating, and providing a contextually relevant offer |
| US11636737B2 (en) * | 2019-09-03 | 2023-04-25 | You Call The Play Inc. | Systems and methods for facilitating betting in a game |
| WO2023068108A1 (en) * | 2021-10-21 | 2023-04-27 | 日本電気株式会社 | Distance measuring device, distance measuring method, and storage medium having program stored thereon |
Family Cites Families (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE68919674T2 (en) | 1989-02-08 | 1995-04-06 | Hewlett Packard Co | Method and device for diagnosing networks. |
| US5247464A (en) | 1989-05-25 | 1993-09-21 | Digital Equipment Corporation | Node location by differential time measurements |
| EP0474379B1 (en) | 1990-09-04 | 1995-11-22 | Hewlett-Packard Company | Method and apparatus for analyzing nodes on a computer network |
| GB9520487D0 (en) * | 1995-10-06 | 1995-12-06 | Cambridge Consultants | Short range electromagnetic sensor |
| US6131067A (en) | 1995-10-09 | 2000-10-10 | Snaptrack, Inc. | Client-server based remote locator device |
| US5826014A (en) | 1996-02-06 | 1998-10-20 | Network Engineering Software | Firewall system for protecting network elements connected to a public network |
| US5898830A (en) | 1996-10-17 | 1999-04-27 | Network Engineering Software | Firewall providing enhanced network security and user transparency |
| DE19616932A1 (en) * | 1996-04-27 | 1997-10-30 | Bosch Gmbh Robert | Optical, beam-splitting component and method for producing a prism support plate for such a component |
| US5771274A (en) | 1996-06-21 | 1998-06-23 | Mci Communications Corporation | Topology-based fault analysis in telecommunications networks |
| US5946373A (en) | 1996-06-21 | 1999-08-31 | Mci Communications Corporation | Topology-based fault analysis in telecommunications networks |
| US5832228A (en) | 1996-07-30 | 1998-11-03 | Itt Industries, Inc. | System and method for providing multi-level security in computer devices utilized with non-secure networks |
| GB9616783D0 (en) | 1996-08-09 | 1996-09-25 | Apm Ltd | Method and apparatus |
| US6202023B1 (en) * | 1996-08-22 | 2001-03-13 | Go2 Systems, Inc. | Internet based geographic location referencing system and method |
| CA2287379C (en) | 1997-01-10 | 2005-10-04 | Silicon Gaming-Nevada | Method and apparatus for providing authenticated, secure on-line communication between remote locations |
| US6092197A (en) | 1997-12-31 | 2000-07-18 | The Customer Logic Company, Llc | System and method for the secure discovery, exploitation and publication of information |
| US6041352A (en) | 1998-01-23 | 2000-03-21 | Hewlett-Packard Company | Response time measuring system and method for determining and isolating time delays within a network |
| US6738814B1 (en) | 1998-03-18 | 2004-05-18 | Cisco Technology, Inc. | Method for blocking denial of service and address spoofing attacks on a private network |
| US6697103B1 (en) * | 1998-03-19 | 2004-02-24 | Dennis Sunga Fernandez | Integrated network for monitoring remote objects |
| US6216002B1 (en) | 1998-05-11 | 2001-04-10 | Ericsson Inc. | Method for selecting base transceiver stations for gathering data to determine a mobile station's location in a wireless network |
| US6185689B1 (en) | 1998-06-24 | 2001-02-06 | Richard S. Carson & Assoc., Inc. | Method for network self security assessment |
| US6205122B1 (en) | 1998-07-21 | 2001-03-20 | Mercury Interactive Corporation | Automatic network topology analysis |
| US6272541B1 (en) | 1998-10-08 | 2001-08-07 | International Business Machines Corporation | Data processing system and method for determining a physical location of a client computer system coupled to a server via a physical network |
| US6151631A (en) | 1998-10-15 | 2000-11-21 | Liquid Audio Inc. | Territorial determination of remote computer location in a wide area network for conditional delivery of digitized products |
| US6684250B2 (en) * | 2000-04-03 | 2004-01-27 | Quova, Inc. | Method and apparatus for estimating a geographic location of a networked entity |
| US6925465B2 (en) | 2000-09-12 | 2005-08-02 | International Business Machines Corporation | System and method for enabling a web site robot trap |
| US6414635B1 (en) * | 2000-10-23 | 2002-07-02 | Wayport, Inc. | Geographic-based communication service system with more precise determination of a user's known geographic location |
-
2001
- 2001-08-31 US US09/945,172 patent/US7107619B2/en not_active Expired - Lifetime
-
2002
- 2002-05-16 US US10/147,769 patent/US6804624B2/en not_active Expired - Lifetime
- 2002-06-18 CA CA002390850A patent/CA2390850C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CA2390850A1 (en) | 2003-12-18 |
| US6804624B2 (en) | 2004-10-12 |
| US20030046577A1 (en) | 2003-03-06 |
| US20030046022A1 (en) | 2003-03-06 |
| US7107619B2 (en) | 2006-09-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2390850C (en) | System and method for the detection of and reaction to denial of service attacks | |
| Wheeler et al. | Techniques for cyber attack attribution | |
| US7467410B2 (en) | System and method for preventing network misuse | |
| US9633202B2 (en) | Managing a DDoS attack | |
| US8631496B2 (en) | Computer network intrusion detection | |
| Householder et al. | Managing the threat of denial-of-service attacks | |
| US20060282893A1 (en) | Network information security zone joint defense system | |
| US20060143709A1 (en) | Network intrusion prevention | |
| US20070022090A1 (en) | Method and Apparatus for Providing Network and Computer System Security | |
| US20020184362A1 (en) | System and method for extending server security through monitored load management | |
| US10536468B2 (en) | System and method for voice security in a telecommunications network | |
| Toosarvandani et al. | The risk assessment and treatment approach in order to provide LAN security based on ISMS standard | |
| Hwang et al. | NetShield: Protocol anomaly detection with datamining against DDoS attacks | |
| Pandey et al. | Attacks & defense mechanisms for TCP/IP based protocols | |
| Hooper | An intelligent detection and response strategy to false positives and network attacks | |
| Paquet | Implementing Cisco IOS network security (IINS):(CCNA security exam 640-553)(authorized self-study guide) | |
| AbdelallahElhadjº et al. | An experimental sniffer detector: SnifferWall | |
| Lukatsky et al. | Protect your information with intrusion detection | |
| Dunigan et al. | Intrusion detection and intrusion prevention on a large network: A case study | |
| Jansky et al. | Hunting sip authentication attacks efficiently | |
| Mitrokotsa et al. | Denial-of-service attacks | |
| KR102401661B1 (en) | SYSTEM OF DETECTION AND DEFENSING AGAINST DDoS ATTACK AND METHOD THEREOF | |
| Asokan et al. | A Case Study Using Companies to Examine the Nmap Tool’s Applicability for Network Security Assessment | |
| Huber | Host-based systemic network obfuscation system for windows | |
| Perez | Practical SIEM tools for SCADA environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKLA | Lapsed |
Effective date: 20130618 |