GB2418563A - Monitoring for malicious attacks in a communications network - Google Patents

Monitoring for malicious attacks in a communications network Download PDF

Info

Publication number
GB2418563A
GB2418563A GB0421148A GB0421148A GB2418563A GB 2418563 A GB2418563 A GB 2418563A GB 0421148 A GB0421148 A GB 0421148A GB 0421148 A GB0421148 A GB 0421148A GB 2418563 A GB2418563 A GB 2418563A
Authority
GB
United Kingdom
Prior art keywords
datagram
malicious attack
attack
network
packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0421148A
Other versions
GB0421148D0 (en
Inventor
Andrew Lehane
Martin Curran-Gray
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agilent Technologies Inc
Original Assignee
Agilent Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agilent Technologies Inc filed Critical Agilent Technologies Inc
Priority to GB0421148A priority Critical patent/GB2418563A/en
Publication of GB0421148D0 publication Critical patent/GB0421148D0/en
Publication of GB2418563A publication Critical patent/GB2418563A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/022Capturing of monitoring data by sampling
    • H04L43/024Capturing of monitoring data by sampling by adaptive sampling

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Processing resources in interface cards, for example interface converter modules (204, fig.2), are used to detect suspicious network activity, for example predefined packet signatures or traffic flows indicative of a malicious attack 304, 306, 308, 310 such as a Distributed Denial of Service (DDoS) attack. Each processing resource is then able to implement a trace-back 326 to a point in the network as close as possible to the sources (110, 112, 114, 116, fig.1) of an attack and implement a measure to mitigate the effects of the attack. The present invention permits detection of attacks as close as possible to the target (108, fig. 1), where accurate detection is more likely, and the imposition of measures as close to the sources of the attack as possible, minimising the effects on network traffic.

Description

MONITORING APPARATUS AND METHOD THEREFOR
[30031 256] [00011 The present invention relates to a monitoring apparatus for detection of malicious attacks, for example, of a type originating from compromised host systems and that are under the control of a remote computer, such as a Distributed Denial of Service attack. The present invention also relates to a communications system comprising the monitoring apparatus, a use of a network interface of a network element and a method of detecting a malicious attack.
2] In the field of network communications, so-called "Denial of Service" (DoS) attacks take several forms. The most common type of attack attempts to prevent external access to enterprise networks, e-commerce or public web sites by flooding them with large amounts of traffic, resulting in legitimate users being unable to gain access to a site that is the target of an attack, hence the term "Denial of Service". These attacks consist of sending packets such as TCP- SYN requests or PlNGs with false source addresses to which the target site or network ("the target") must provide a response. For example, one know type of attack, known as a "flooding attack" involves the Internet link of the target being flooded by an onslaught of false TCP-SYN requests that keep a network device at the target, and indeed the CPU supporting the network device, busy answering spurious connection requests. In some cases, the attacks also send specially devised malformed packets that remote software services are unable to process and can either crash the service running on a host system, or in the worst case the host system itself. These are known as protocol attacks. The specially devised packets can be very simple, for example Windows NT and 95, and early 2.0.x Linux, Solaris x86, and Macintosh systems will all crash if a PING packet larger than the maximum size of 65535 bytes is received. This is colloquially known as a "Ping of Death".
[00031 A Distributed Denial of Service (DDoS) attack uses the same method as a regular DoS attack, but it is launched from multiple sources. As an initial step, an attacker attempts to infiltrate unsuspecting host systems (hereafter "hosts") with fast network connections using known security loopholes, thereby compromising the hosts. After gaining access, the attacker installs software onto the compromised hosts. These newly installed software services act as agents, or "slaves", that lie dormant on the hosts until they are given a command from a remote source, known as a "master". The master orders each slave to run a single DoS attack against a specified target. A number of slaves, ranging from just a few, to many tens or hundreds, can be used in a single attack; a target can therefore be "blasted" with malicious packets from multiple hosts.
4] With the proliferation of cable modems, Digital Subscriber Line (DSL) Internet access, the ready availability of powerful hacking tools and vulnerable, i.e. un-patched, hosts, there are plenty of easily accessible hosts with fast connections to the Internet that could be used as potential attack slaves. The key to a DDoS attack is that an assault from a single host will not be able to overwhelm a potential victim with a high bandwidth Internet connection. However, thousands of such attacks originating from many host systems spread all over the globe can soon overpower the potential victim.
10005] Success of a DDoS attack depends upon whether or not the potential victim has more bandwidth available than the aggregate bandwidth at the disposal of the attacker. Ultimately, a determined attacker is likely to win, simply due to attackers being able to compromise many vulnerable hosts and use them as slaves to mount a concerted distributed attack. There is no way that any individual enterprise or site can stop attacks and so they rely upon one or more of a number of measures available to them to defend themselves. The measures available include a combination of firewalls, scanners and intrusion detection systems to stop the attacks penetrating a network.
lO006] In relation to prevention, ISPs wishing to trace originators of DoS attacks and other malevolence, such as virus and worm attacks need to recognise an attack as it is occurring. This is relatively easy when close to the target; the arrival of large numbers of suspect packets is indicative of a possible attack. However, at the target, the process of filtering packets and tracing the source is difficult, because a very large number of packets can be sent from various geographical and topologically disparate compromised hosts and so a firewall might be overwhelmed when attempting to filter the attack packets, ironically making the attack a success. Also, almost all packets sent by attacking hosts use "spoofed" source IP addresses, i.e. false source IP addresses are used, making tracing of the source of the attack extremely difficult.
10007] Clearly, if the source of an attack can be discovered, a system administrator can inform owners of any subverted hosts and attempt to identify the party that compromised the hosts. Even if the source cannot be identified, it is still nevertheless possible to apply a filter closer to the origin of the attack packets, a solution that inherently has improved efficiency and less impact on network elements due to the overall filtering effort being distributed and more closely 1 5 targeted.
8] Several defensive technologies exist that offer protection against attacks and some help track down the source of an assault. Such defensive types of system rely on protecting an enterprise network or site at connection points between the enterprise network or site and the wider Internet. Examples of these types of defensive technologies include firewalls, intrusion detection systems and scanners.
10009] A firewall is the first line of defence of an enterprise or a site and defines permitted incoming and outgoing connections, whilst helping to prevent intrusion that would be required to plant agent or zombie programs on a network behind the firewall. During an attack, a firewall, assuming it has been configured correctly, will bear the brunt of the attack and should recognise flooding attacks and drop packets constituting the flooding attack before they penetrate the network. Most commercial firewalls can also be set to notify the system administrator that the attack is underway. However, the most important feature of the firewall in this type of attack may be the ability of the firewall to log suspicious traffic. Firewalls, however, are not a complete solution, because a skilled attacker or someone who has downloaded good tools can easily overcome the protection provided by the best firewalls if vulnerabilities exist on a network.
l0010l Another type of defensive system is a so-called "scanner" application, which searches a site or enterprise network for vulnerabilities and tells the system administrator how to fix them. Scanners also scan the enterprise network for existing back doors and DDoS agents or slaves alerting the administrator so that they can be removed.
10011] Intrusion Detection Systems (IDS) are another type of defensive system that monitor all packets that go to network segments or hosts, and try to identify scanning attempts upon those networks that are hoping to exploit a vulnerability, irrespective of whether or not the particular vulnerability exists.
2] In order for an attacker to place distributed slaves into a network, the attacker must first penetrate the network and gain access to one or more general purpose computing devices on the network on that network, for example a Personal Computer (PC), a process that breaks down into several stages. During each stage, it is possible to search for signature packets that are indicative of the attack. Consequently, the IDS scans packets and is programmed to recognise the process of penetrating the network being monitored. Once a machine is compromised, the assailants often repeat the process giving the IDS further opportunities to uncover an attack.
3] "Inferring Internet {Denial-of-Service} Activity" (2001 USENIX Security Symposium, Pages 9 to 22, Moore et al.) discusses a technique called "backscatter analysis" that can be used to detect the frequency and size of DoS attacks. The backscatter analysis is statistical in nature and has some limitations, especially in observing so-called "reflector" DDoS type attacks that use compromised thirdly party hosts to mount the assault. Therefore, backscatter analysis is only useful for gauging the size and duration of attacks in the network.
4] To police a network effectively, sources of packets need to be traced.
Some useful techniques have been developed, but often these only operate in real-time, require an external trigger or need changes to existing protocols. Some known methods do allow attacks to be tracked after they have occurred, but have associated drawbacks making their application impractical with current protocols.
Furthermore, if a distributed attack is underway then tracing the slaves is sufficiently difficult; finding the controlling master, who could be several levels of indirection away, is almost impossible.
5] The above type of methods is known as an offensive technology and is employed to track sources of attacks once an attack has been discovered. Such technologies, once an attack is in progress, firstly identify a router at the target site responsible for an attacking flow and then log into the router and determine the interface/router from which the attack is coming. Once the interface/router is determined, the process is repeated recursively so as to follow the attacking packets back to their source. However, this process, known as "back/racing", is a complicated, slow, manual process that requires the flow of packets to remain active during the trace back, much like tracing a telephone call. The flow may also originate from multiple sources and have varying signatures, making tracing back problematic [0016] Another technique, known as "Dostracker" available from MCI, uses a Cisco Systems, Inc. router feature known as "input debugging" to allows an operator to filter particular traffic on an egress port and identify the ingress port at which the traffic arrived. Dostracker uses scripts written in the Perl language, written explicitly for Cisco routers, to trace a packet back through the upstream routers using the input- debugging feature. However, as implied above, the script is manufacturer (Cisco Systems) specific and requires password access to routers in the attack chain. Quite correctly router passwords are closely guarded and to obtain access to such sensitive resources is not an easy task.
0017] In contrast, a system described in "Backtracking Spoofed Packets" (T.
Duggen, Network Research Group, Oak Ridge National Laboratory) and known as "tracer daemons" operates in parallel with routers on each network segment using a standard Personal Computer (PC). If a standard intrusion detection system recognises an attack, the tracer daemons are spawned through the network, back- tracking the path of the attacking traffic at each segment. Complete integration between the intrusion detection system protection system and the tracer daemons is obviously required and the technique can only operate successfully if the accessible hosts on a given particular network segment are available.
0018] "CenterTrack: An IP Overlay Network for Tracking DoS Floods" (gth USENIX Security Symposium, August 2000) describes use of an overlay network, consisting of IP tunnels that are used to selectively re-route interesting packets directly from edge routers to special tracking routers. The tracking routers can easily determine the ingress edge router by observing which tunnel the packets arrive on. The packets can be examined by the tracking routers and then dropped or forwarded to the appropriate egress point depending upon whether the packets are considered associated with an attack or not. However, this solution requires substantial additional network hardware.
10019] "Practical Network Support for IP Traceback" (Savage et al., SIGCOMM 2000) describes a mechanism that employs probabilistic marking of packets with partial path information as they arrive at a router. The mechanism relies upon the fact that DoS attacks invariably comprise a large number of packets and whilst each marked packet only represents a small sample of the path it has traversed, by combining a number of packets it is possible to reconstruct the entire path.
However, the technique requires adding two IP address, one for each link or 'edge' traversed, to the probabilistically marked packet, but making such changes to core Internet protocols is not likely to be acceptable to ISPs.
10020] In theory, the IP Record Route option in Internet Engineering Task Force (IETF) Request For Comments (RFC) 791 can be used for the purpose of traceback. However, this is not widely used for this purpose. Similarly Routing Headers in IPv6 can also be used. In both these cases, any traffic that requires the alteration of packet headers en-route requires special treatment that inevitably changes the forwarding characteristics of the packets. Typically, the special behaviour requires the packets to be handled on a slow-path of a router that is in software rather than dedicated hardware.
1] In "ICMP Traceback Messages" (S. Bellovin, M. Leech, and T. Taylor; Internet Draft, draft-ieff-itrace-04.txt, February 2003), a traceback scheme similar in nature to the above-described probabilistic method is disclosed. In the ICMP scheme, every router samples, with low probability (for example, 1/20,000), one of the packets it is forwarding and copies the contents into a special ICMP traceback packet. The ICMP packet includes information about adjacent routers along the path to the destination of the sampled packet. During a flooding-style attack, the victim host can use the ICMP messages to reconstruct a path back to an attacker.
However, any technique that uses ICMP messages will be handled on a slow path of a given processing router and such traffic is increasingly filtered-out or rate limited by ISPs. Often ICMP messages are filtered by ISPs simply to prevent router tracing and to limit the types of attacks, based upon PlNGs, that the ICMP traceback scheme aims to solve. Finally, a sophisticated attacker with the aim of confusing the detection system can also spoof ICMP traceback packets.
2] In "Tracing Anonymous Packets to Their Approximate Source" (H. Burch and B. Cheswick, www. mirrors.wiretanped. neVsecuritv/info/papers/networking/tracing-anonymous packets-to-theirapproximate-source.pd0, a technique is disclosed that sequentially floods links on a network with a large burst of self-generated synthetic traffic and observes how the burst interrupts the attackers packets. Since flooding a link will cause both the attack and the flooded packets to be dropped, a map of the topology of the network can then be used to calculate the direction of the attack. This technique, however, gives poor results when applied to DDoS attacks and can cause disruption for other legitimate traffic passing through a network.
10023] A different approach involving using active networking technologies has been disclosed in "A Defense Against Address Spoofing Using Active Networks" (Van Van, MIT Master's Thesis, http://www.sds.lcs.mit. edu/publications/van97.html). In this approach, active networks allow intermediate routers in a network, not just the end hosts, to perform processing on packets. Code to be executed by a given node is sent inside a packet to the given node and so a user can send a computer program to a node or a host. However, this technique raises serious security issues and the practical implications of this technology, especially the security aspects, mean that most Internet Service Providers (SPs) are currently unlikely to accept such a potentially dynamic and openly adaptable environment.
[00241 In summary, existing systems have one or more drawbacks, for example many of the above technologies require overlay networks, additional hosts to run tracing programs, the addition of overhead to a forwarding path or router CPU, of major protocols changes, and/or explicit up-to-date topological knowledge of a surrounding network. Other drawbacks include the presentation of a security risk that can itself be exploited by an attacker, the need to add a large additional packet overhead and/or considerable system management overhead.
[00251 According to a first aspect of the present invention, there is provided a monitoring apparatus for detection of a malicious attack in a communications network, the apparatus comprising: a datagram extractor arranged to procure, when in use, at least one datagram from a stream of datagrams traversing a network element; a datagram analyser arranged to identify, when in use, a characteristic of a malicious attack from the at least one datagram; and an alert generator arranged to generate, when in use, an alert in response to an identification of the characteristic of the malicious attack.
[00261 The at least one datagram may be a plurality of datagrams. The datagram extractor may be arranged to sample the at least one datagram from the stream of datagrams traversing the network element. A rate of sampling of datagrams by the datagram extractor may be set in response to a measured criterion. In this respect, the measured criterion may be one or more of a frequency of malicious attacks, a quantity of traffic on a predetermined communications link, and/or processing power available to the monitoring apparatus. Of course, the sampling rate of datagrams by the datagram extractor may be modified in response to identification of the characteristic of the malicious attack.
lO027] The datagram analyser may be arranged to analyse the at least one datagram to identify a value in a field of the at least one datagram, the value in the field being indicative of the malicious attack. The datagram analyser may be arranged to analyse the at least one datagram to identify a traffic pattern or flow state indicative of the malicious attack. A large burst of known-exploited datagrams from random sources addressed to a common destination, a particular packet sequence or contents may be examples of signs of suspicious network activity or a malicious attack. The analyser may be able to provide spoof address detection, detect particular destination traffic dynamics, detect non-responsiveness of a connection to congestion behaviour, detect known specific attack datagram signatures, and/or detect other abnormal connection semantics. The abnormal connection semantics may include an abnormally large number of pending connections to a particular network port.
10028] The apparatus may further comprise a data store for recording one or more of the at least one datagram or one or more fragment thereof. Additionally or alternatively, the apparatus may further comprise a backtrace initiator arranged to initiate a back trace in response to identification of the characteristic of the malicious attack.
9] The apparatus may further comprise a correlator arranged to correlate egress traffic with ingress traffic. The correlator may use a routing table to correlate the egress traffic with the ingress traffic.
10030] The apparatus may further comprise a communications interface capable of communicating data relating to the malicious attack to another monitoring apparatus.
1] According to a second aspect of the present invention, there is provided a processing resource for a network element, the resource comprising the monitoring apparatus as set forth above in relation to the first aspect of the present invention.
2] According to a third aspect of the present invention, there is provided a programmable measurement device comprising the processing resource as set forth above in relation to the second aspect of the present invention.
3] According to a fourth aspect of the present invention, there is provided an interface card for a network element comprising the processing resource as set forth above in relation to the second aspect of the present invention.
4] According to a fifth aspect of the present invention, there is provided a network element comprising the processing resource as set forth above in relation to the second aspect of the present invention.
5] According to a sixth aspect of the present invention, there is provided a communications system comprising the monitoring apparatus as set forth above in relation to the first aspect of the present invention.
6] The system may further comprise a back-tracer capable of tracing a datagram relating to the malicious attack substantially as far back as possible to a source of the malicious attack. The back-tracer may be associated with a first Service Provider, and the back-tracer is arranged to communicate data relating to the malicious attack with another backtracer associated with a second Service Provider.
[00371 The system may further comprise a suppressor arranged to prevent or reduce the number of datagrams emanating from the source of the malicious attack. The suppressor may comprise a rate limiter arranged to limit the rate of outbound datagrams emanating from the source of the malicious attack substantially as close to the source of the malicious attack as possible.
Additionally or alternatively, the suppressor may comprise a source disconnector capable of preventing the source of the malicious attack from sending datagrams associated with the malicious attack.
[00381 The system may further comprise a control monitor for monitoring traffic communicated to the source of the malicious attack from a controlling source.
[00391 The system may further comprise a central repository for storing the one or more of the at least one datagram or the one or more fragment thereof relating to the malicious attack. The central repository may be shared by a number of Service Providers.
[00401 According to a seventh aspect of the present invention, there is provided a method of detecting a malicious attack in a communications network, the method comprising the steps of: procuring at least one datagram from a stream of datagrams traversing a network element; identifying a characteristic of a malicious attack from the at least one datagram; and generating an alert in response to an identification of the characteristic of the malicious attack.
1] According to an eighth aspect of the present invention, there is provided a use of an interface card of a network element to detect a malicious attack in a communications network.
2] It is thus possible to provide a monitoring apparatus, communications system, method and use that are capable of deterring attacks rather than curing them. Furthermore, it is also possible to identify a compromised host machine or a point in the network nearby, making it possible to communicate to the existence of a compromise to security to a network administrator of an administrative domain containing the compromised host. Charged with this information, the network administrator is able to take steps necessary to prevent transmission of datagrams associated with the malicious attack and/or repair the weaknesses in security.
Additionally, it is sometimes possible to trace a culprit who is controlling a source of the malicious attack. Consequently, better policing of a network, such as the Internet, is possible. It is further possible to provide, relatively quickly, information concerning the malicious attack to a service provider, such as an Internet Service Provider, so that rapid action can be taken to suppress the malicious attack, for example by filtering out malicious traffic addressed to a target host network. By placing a filter as close as possible to the source of an attack, the likelihood of legitimate packets inadvertently being removed from a flow of packets is reduced; identification as close as possible to the target results in a higher degree of confidence that detection of the malicious attack is reliable. Furthermore, treatment of datagrams in the communications network is not effected, nor are any protocol changes required. Of particular advantage is an absence of a need for additional fields to be added to existing packets. Also, overlay networks are not required, and management overhead is not increased considerably. Both real time and post-mortem analysis is possible, and the apparatus and method are passive in nature, making them harder to exploit for malicious purposes. The solution of the present invention also allows viruses and worms to be detected and their respective sources identified.
[00431 At least one embodiment of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which: Figure 1 is a schematic diagram of a part of a communications network; Figure 2 is a schematic diagram of a number of network elements of Figure 1 in greater detail; Figure 3 is a schematic diagram of part of a network element of Figure 2 in greater detail; Figure 4 is flow diagram of a first part of a method for use with the network elements of Figure 2 and/or 3; Figure 5 is flow diagram of a second part of the method for use with the network elements of Figures 2 and/or 3; Figure 6 is flow diagram of a third part of a method for use with the network elements of Figure 2 and/or 3; and Figure 7 is flow diagram of a fourth part of the method for use with the network elements of Figures 2 and/or 3; and Figure 8 is a schematic diagram of an enhanced GBIC for monitoring networks.
[00441 Throughout the following description identical reference numerals will be used to identify like parts.
10045] Referring to Figure 1, a communications network 100, for example the Internet, comprises a plurality of network elements, for example routers 102, interconnected by communications links 104.
lO046] A target host system 106, for example a target server 108, that is the target of a malicious network attack, for example a Distributed Denial of Service (DDoS) attack, is coupled, through the routers 102, to a first compromised slave computer 110, a second compromised slave computer 112, a third compromised slave computer 114, and a fourth compromised slave computer 116. In this example, the first, second, third and fourth slave computers 110, 112, 114, 116 are networked computers, such as Personal Computers (PCs) or servers having access to an Internet Service Provider. In each case, the PCs or servers constituting the first, second, third and fourth slave computers 110, 112, 114, 116 have had their respective security measures compromised and a software application uploaded onto them and executed for the purpose of transmitting packets to the target server 108 under the control of a so-called "master" 118, the packets (hereafter "malicious packets") being designed to disrupt or totally prevent the service being provided by the target server 108 either by occupying the target server 108 with illegitimate processing requests, overloading it completely or by causing the target server 108 to crash through receipt of intentionally malformed packets. Of course, for a DDoS attack to succeed, a larger number of compromised slave devices are usually employed, but in this description the number has been limited to four compromised slave computers in order to
preserve simplicity and clarity of description.
10047] In relation to the master 118, the master 118 is also a networked computer, such as a PC. The master 118 executes a controlling software application that is capable of communicating with the first, second, third and fourth slave computers 110, 112, 114, 116 in order to control malicious attacks implemented by the slave computers 110, 112, 114, 116, for example the malicious attack on the target server 108.
lO048] Each of the first, second, third and fourth slave computers 110, 112, 114, 116 is respectively coupled to a first, second, third and fourthsource- nearest router 120, 122, 124, 126. Similarly, the target server 108 is coupled to a first, second and a third target-nearest routers 128, 130, 132.
9] Turning to Figure 2, the first target-nearest router 128 is coupled to two other, topologically adjacent, routers 102, for example a first adjacent router 200 and a second adjacent router 202. In this example, each of the first adjacent router 200, the second adjacent router 202 and the first target-nearest router 128 comprise a plurality of interface converter modules 204. In particular, the target nearest router 128 has a first interface converter module 206 and a second interface converter module 208 via which the target-nearest router 128 is able to communicate with the first adjacent router 200, via a first interface converter module 210 of the first adjacent router 200, and the second adjacent router 202, via a first interface converter module 212 of the second adjacent router 202.
10050] The interface converter modules 204, 206, 208, 210, 212 are enhanced programmable monitoring devices based upon, for example, GigaBit Interface Converters (GBICs) that permit receipt and transmission of communications signals between the first adjacent router 200, the second adjacent router 202 and the first target-nearest router 128. Other routers 102 in the communications network possessing the interface converter modules 204 are also interconnected in this way.
10051] Referring to Figure 8, the enhanced interface converter modules 204 are based upon standard interface converter modules that can be obtained from a number of manufacturers, such as Agilent Technologies Inc. Finisar Corporation, and E20 Communications Inc. The enhanced interface converter module 204 is a hot swappable plug-in full duplex electrical-to- optical converter. The interface converter 204 receives light at and light is emitted from a first interface 802 via optical fibre connections 804 and 806 respectively, forming a network-side full duplex serial connection. The interface converter 204 also receives electrical signals at and transmits electrical signals from a second interface 810 via an output electrical connection 812 and an input electrical connection 814 respectively, forming a host-side full duplex serial connection. The first interface 802 controls optical transmitters and detectors (not shown), known in relation to existing interface converter modules, to perform appropriate optical-to-electrical and electrical-to-optical conversions. Likewise, the second interface 810 translates electrical signals on the output and input electrical connections 812, 814 to and from a form suitable to pass to the first interface 802 or be used by a router, respectively. An Electrically Erasable Programmable Read Only Memory (EEPROM) 816 contains manufacturing and device identification that is presented via a first internal connection 818 to the second interface 810. The details of how this information is recovered, and other ancillary services, for example power supplies, are not pertinent to the invention and so will not be described in further detail. The interface converter module is supplemented by an additional processing capability 808 inserted between the first and second interfaces 802, 810. The additional processing capability 808 is coupled to the first interface 802 by a second connection 816, the additional processing capability 808 being coupled to the second interface 810 by a third electrical connection 822. Electrical serial data signals on the second electrical connections 826 are fed to a first SERialiser-DESerialiser (SERDES) device 828 and electrical signals of the third electrical connection 822 are fed to a second SERDES 824. The first and second SERDES devices 828, 824 take high-speed serial information and present it at a lower data rate on first and second parallel buses 834, 832, respectively for passing to a monitor core 830. Conversely, the SERDES devices 828, 824 also take parallel information at the lower data rate from the monitor core 830 via the first and second parallel busses 834, 832 respectively, and serialise the lower data rate data for driving on to the first and second electrical connections 826, 822.
Traffic arriving at the monitor core 830 from the host-side connection via the second SERDES device 824 is passed through generally unmodified to the network-side connection via the first SERDES 828. Similarly, traffic arriving from the network-side connection destined for the host- side connection is passed through generally unmodified via the first and second SERDES devices 828, 826.
[00521 By using gaps in active data flowing through the enhanced interface converter module 800, extra packets can be sent over and above those that are being communicated on a link used to communicate the active data. Also, messages specifically intended for receipt by the monitor core 830 can be removed from the flow of the active data if required. The monitor core 830 is programmable and provides suitable services for receiving and interpreting, and generating and transmitting messages to allow the enhanced interface converter module 800 to interact with other enhanced interface converter modules, as well as other devices provisioned to control devices or collections of devices. An EEPROM connection 820 can optionally be provided between the EEPROM 816 and the monitor core 830 in order to recover data from the EEPROM 816 to inform the monitor core 830 of its role in the network in which the enhanced interface converter module is currently inserted.
3] The interface converter modules 204 each comprise a processing resource, such as the additional processing capability described above, that is further enhanced to support a monitoring process to detect malicious network attacks, the processing resource being structured as follows. Optionally, a Field Programmable Gate Array can be integrated into the interface converter module 204 if insufficient processing power is available.
4] Referring to Figure 3, the processing resource 300 comprises an input 301 coupled to a sampling logic 302, the sampling logic 302 being coupled to an analyser 304. The analyser 304 comprises a storage unit 306, a packet contents detection unit 308, and a flow dynamics unit 310. An output 311 of the sampling logic 302 is coupled to an input 312 of the analyser 304, the input 312 of the analyser 304 splitting into a first input 314 of the storage unit 306, a second input 316 of the packet contents detection unit 308, and a third input 318 of the flow dynamics unit 310.
[00551 Whilst the analyser 304 has been described as having the storage unit 306, the packet contents detection unit 308, and the flow dynamics unit 310, it should be appreciated that other unit types can also be provided, for example, a I spoof address detection unit, a unit to identify non- responsiveness of connections to congestion, and an abnormal connection semantics unit.
6] A first output 320 of the storage unit 306, a second output 322 of the packet contents detection unit 308 and a third output 324 of the flow dynamics unit 310 are coupled to a back-trace algorithm unit 326, an alert or alarm generation unit 328, a feedback algorithm unit 330, and a communications unit 332.
7] The back-trace algorithm unit 326, the alert generation unit 328 and the feedback algorithm unit 330 are also coupled to the communications unit 332. The feedback algorithm unit 330 is coupled to a sampling algorithm and parameter store unit 334, the sampling algorithm and parameter store unit 334 being coupled to the sampling logic 302 and the communications unit 332. Additionally, the feedback algorithm unit 330 is coupled to a first configuration input 336, a second configuration input 338 and a third configuration input 340 of the storage unit 306, the packet contents detection unit 308, and the flow dynamics unit 310.
[00581 As a variation to the above architecture, the communications unit 332 can be replaced by a control plane connection of a router 102 in which the processing resource 300 is disposed or to which the processing resource 300 is coupled. An example of an application employing the variation of the above architecture will be described later herein.
9] In operation (Figures 4 to 7), the communications network 100 operates in a state prior to a launch of a malicious attack on the target server 108. As it is not relevant to the operation of the above apparatus, the manner in which the first slave computer 110, the second slave computer 112, the third slave computer 114 and the fourth slave computer 116 have been compromised will not be described.
However, it should be understood that the master 118 sends commands to the first slave computer 110, the second slave computer 112, the third slave computer 114 and the fourth slave computer 116 in order to identify the target server 108 as the victim of a malicious attack and the frequency of transmission of packets to the target server 108.
0] Upon transmission of the identity, i.e. the Internet Protocol (IP) address, of the target server 108 to the slave computers 110, 112, 114, 116 and the ferocity of the attack, for example the type of packet to be sent and the frequency of transmission, the compromised slave computers 110, 112, 114, 116 begin transmission of packets to the target server 108. The malicious attack on the target server 108 is therefore underway.
1] Referring back to Figure 1, paths taken by the malicious packets originating from the compromised slave computers 110, 112, 114, 116 to the target server 108 are shown as solid arrows. The malicious packets traverse a number of the routers 102 en route to the target server 108, presenting several opportunities for detection of the malicious attack.
2] The malicious packets sent from the slaves computers 110, 112, 114, 116 from topologically and geographically disparate locations converge on the target server 108 as the malicious packets get closer to the target server 108.
Consequently, the target-nearest routers 128, 130, 132 experience a higher level of received traffic than the source-nearest routers 120, 122, 124, 126, the level of received traffic experienced by routers 102 between the source-nearest routers 120, 122, 124, 126, and the target-nearest routers 128, 130, 132 increasing the closer the router 102 is to the target server 108.
3] Therefore, routers 102 of differing distances from the target server 108 will respectively receive differing quantities of malicious packets. In this respect, a small number of suspicious packets received by a router 102 does not give a high degree of confidence that a malicious attack is in progress, whereas a much higher number of suspicious packets would be far more telling.
lO064] In this example, the processing resource 300 monitors ingress traffic to the interface converter module 204 in which the processing resource 300 is disposed for suspicious packets or activities in relation to packets, for example, unusual traffic patterns. Upon receipt of a stream of packets corresponding to the ingress traffic, the sampling logic 302 extracts packets from the stream of packets, for example, by sampling packets at a predetermined interval in accordance with a sampling algorithm, for example a Poisson Sampling algorithm as described in "RFC: 2330 Framework for IP Performance Metrics" (V. Paxson, G. Almes, M. Mathis, May 1998) to allow a large number of connections passing through the interface converter module 204 to be monitored simultaneously. Sampled packets are then transferred to the storage unit 306, the packet contents detection unit 308, and the flow dynamics unit 310 and then are handled in relation to separate respective criteria by each of the storage unit 306, the packet contents detection unit 308, and the flow dynamics unit 310.
5] In relation to the storage unit 306, sampled packets or fragments of packets are stored for later analysis, for example after the malicious attack has finished. Alternatively or additionally, the sampled packets or fragments of sampled packets can be transmitted to a central repository (not shown) of sampled packets or packet fragments. To achieve this, the storage module 306 instructs the communications unit 332 to send the sampled packet or packet fragment to the central repository.
6] The packet contents detection unit 308 analyses sampled packets received against a number of criteria, or signatures, that are characteristic of the packet being associated with a malicious attack. For example, the packet contents detection unit 308 analyses known fields of the received packet for certain values that make the packet appear suspicious and/or analyses the received packet for spoof IP addresses. As another example, the packet contents detection unit 308 analyses the sampled packets for signatures indicative of the sampled packets relating to a virus or a worm. In this respect, tests for the signatures can be implemented as rules, for example of the type described on the open source network intrusion detection system website (htto://www.snort.org/snort-db/). In such an example, the interface converter modules are programmable in order to provide adaptability to new viruses and worms. The detection carried out by the packet contents detection unit 308 can be carried out in combination with detection of suspicious packet flows by the flow dynamics unit 310, thereby enabling both specific bit pattern and states of TOP connections to be detected.
lO067] The flow dynamics unit 310 analyses the received sampled packets for suspicious traffic pattern and flow states that are indicative of a malicious network attack. For example, the flow dynamics unit can detect, in this example, particular destination traffic dynamics, such as a large burst of known-exploited packets from random sources addressed to a common destination, a particular packet sequence, or an abnormally large number of pending connections to a particular network port, any of which can be a sign of a malicious attack.
[00681 In order to most clearly describe the subsequent operation of the processing resource 300 upon detection of a suspected malicious network attack, the foregoing description will, at least initially, be in the context of the first target nearest router 128, the first adjacent router 200 and the second adjacent router 202 described above in relation to Figure 2.
9] Referring to Figure 4, the packet contents detection unit 308 and the flow dynamics unit 310 each contributes to the process of monitoring (Step 400) for suspicious network activity. If one (or both) of the packet contents detection unit 308 or the flow dynamics unit 310 detects (Step 402) suspicious activity or packets, the feedback algorithm unit 330 communicates the detection of the suspicious activity to the sampling algorithm and parameter storage unit 334, and the sampling algorithm and parameter storage unit 334 increases (Step 404) the rate of sampling performed by the sampling logic 302. As a consequence of increasing the rate of sampling, the analyser 304 is provided with more information upon which to provide an indication of suspicious network activity. The provision of more information reduces the occurrences of so-called "false positives" being given by the analyser 304 based upon too little data, i.e. false indications of suspicious network activity based upon, for example, a small number of erroneous packets. Of course, there is a number of other factors that can influence the sampling interval, examples of which include: the frequency of malicious attacks or suspicious network activity, the amount of traffic on a given network link, and/or the amount of processing power available in the interface converter module 204.
0] If, after the increase in the number of packets being provided to the analyser 304, the analyser 304 is still generating the indication of suspicious network activity, the alert generation unit 328, which receives the results of the analyser 304, begins a process of alerting other interface converter modules 204 of upstream peer routers, as will be described hereinbelow in relation to Figure 5.
For example, upon detection of the suspicious network activity by the first interface converter module 206 of the target-nearest router 128, the alert generation unit 328 associated with the first interface converter module 206 of the target-nearest router 128 essentially sends an alert message to the respective communications units of the first interface converter modules 210, 212 of the first and second adjacent routers 200, 202. Of course, depending upon the policy of the ISP within whose domain the target- nearest router 128 lies, the alert generation module 328 of the first interface converter module 206 of the target-nearest router 128 can forego the step of increasing the sampling rate of the sampling logic 302 thereof before alerting the respective interface converter modules 204 of the upstream peer routers if a more proactive approach to dealing with malicious attacks is being taken.
[00711 In order for the first and second interface converter modules 206, 208 of the target-nearest router 128 to communicate with the first interface converter modules 210, 212 of the first and second adjacent routers 200, 202, IP subnets are employed, i.e. IP addresses are assigned to the interface converter modules.
Consequently, the alert generation unit 328 of the interface converter modules 204 of the target-nearest router 128 are pre-configured with the IP addresses for contacting corresponding interface converter modules 204 of the upstream peer routers 102, in this case the first interface converter modules 210, 212 of the first and second adjacent routers 200, 202.
l0072l Referring now to Figure 5, as part of the process of alerting other interface converter modules 204 of upstream peer routers, the first interface converter module 206 determines (Step 500) whether the targetnearest router 128 is at an ingress to a network domain or local area network. Assuming this is not the case for the target-nearest router 128, a back-trace process begins, whereby the back trace algorithm unit 326 of the first interface converter modules 205 initiates a back-tracing algorithm. It should be understood that any suitable back-tracing algorithm can be employed for this purpose, for example as described in the, now expired, Internet Draft "ICMP Traceback Messages" (S. Bellovin, M. Leech, T. Taylor; February 2003 (expires: August 2003); draft-ieffitrace-04.txt)) when suitably adapted. Alternatively, a depth first search can be carried out by sending packets to upstream nodes from a downstream node indicating that the first the downstream node has "seen" an attack. In the present example, the back-tracing activity is executed as follows.
3] Upon determining that the target-nearest router 128 is not at an ingress to a network domain or local area network, the alert generation unit 328 of the first interface converter module 206 informs corresponding alert generation units 328 of interface converter modules 204 of upstream peer routers (Steps 502 and 504) of the detection of the suspicious network activity. Whilst the interface converter modules 204 of the upstream peer routers are being informed of the detection of suspicious network activity, the alert generation unit 328 of the first interface converter module 206 itself determines (Figure 6: Step 600) whether an alert message has been received from a downstream router advising of suspicious network activity. Since the first interface converter module 206 is nearest to the target server 108, no such alert message is received and so, referring back to Figure 4, the analyser unit 304 of the first interface converter module 206 monitors for and determines (Steps 400 and 402) whether suspicious network activity is currently being monitored. Since the first interface converter module 206 is monitoring suspicious network activity, the first interface converter module 206 repeats steps 500 to 504 until all possible upstream routers are alerted to the detection of the suspicious network activity.
4] Thereafter (Figure 7), the processing resource of the first interface converter module 206 of the target-nearest router 128 verifies (Step 700) if the storage unit 306 is recording packets or packet fragments. If packet or packet fragment recordal is not taking place, recordal is initiated (Steps 702 and 704). In this state, the storage unit 306 records traffic patterns (Step 704) and creates (Step 706) a log file (not shown) for recording the traffic patterns recorded and any other data, for example packets and/or packet fragments usually stored by the storage unit 306. Packets containing log data from the log file being sent (Step 708) to the central repository at regular intervals until the suspicious network activity is deemed (Step 710) to have ceased, whereupon traffic recordal terminates.
5] When the analyser unit 304 of the first interface converter module 206 no longer detects suspicious network activity, the analyser unit 304 of the first interface converter module 206 continues monitoring for suspicious network activity (Step 400). In another embodiment, monitoring "sessions" can be initiates, whereby multiple instances of the above process are executed in parallel or substantially in parallel in order to handle multiple simultaneous or substantially simultaneous detections of suspicious network activity.
6] In relation to the first interface converter modules 210, 212, these may already have detected the suspicious network activity detected by the first interface converter module 206 of the target-nearest router 128. However, the farther a given router 102 is from the target server 128, the less likely the analyser unit 304 of the given router 102 is to detect the suspicious network activity.
Whether or not the first interface converter modules 210, 212 have detected the suspicious network activity, the first interface converter modules 210, 212 nevertheless still execute the same process described above in relation to Figures 4to7.
7] However, in the present example, the first interface converter modules 210, 212 do receive the alert message from the alert generation unit 328 of the first interface converter unit 206 and 208 respectively of the target-nearest router 128. In this respect, and referring to Figure 6, when the alert generation unit 328 of the first interface converter module 210 of the first adjacent router 200 determines (Step 600) that the alert message has been received, the alert generation unit 328 informs the feedback algorithm unit 330 to instruct the sampling algorithm and parameter storage unit 334 to increase (Step 404) the sampling rate of the sampling logic 302 of the first interface converter modules 210, 212. At the same time, the back-trace algorithm unit 326 of the first interface converter module 210 then determines (Step 602) whether or not the suspicious network activity is already being monitored by the analyser unit 304 of the first interface converter module 210. If the suspicious network activity is not being observed by the analyser unit 304, the back-trace algorithm unit 326 issues (Steps 604 and 606) via the communications unit 332, a "dead end" message along with an identity of a last path point to be sent to the central repository. Thereafter, the analyser unit 304 continues monitoring (Step 400) for other suspicious network activity.
8] In the event that the back-trace algorithm unit 326 of the first interface converter module 210 determines (Step 602) that the suspicious network activity is already being monitored by the analyser unit 304 of the first interface converter module 210, the trace-back algorithm unit 326 of the first interface converter 204, based upon the policy it implements, determines (Step 608) whether or not to impose rate limitation on traffic traversing the first adjacent router 200. When the first adjacent router 200 is nearest the source of the malicious attack, but the policy implemented by the first adjacent router 200 does not permit rate limitation of traffic, the trace-back algorithm unit 326 records the fact that the upstream peer router is the point closest to the source of the malicious attack and communicates the identity of the first adjacent router 200 to the central repository (Step 614). In any event, the first adjacent router 200 and/or the first interface converter module 210 are capable of performing the rate limitation. Thereafter, the analysis unit 304 continues to monitor the suspicious network activity as well as monitor (Step 400) for other (new) suspicious network activity.
9] If rate limitation is permitted and, optionally, if required and appropriate for the given circumstances, the first interface converter 210 records the fact that the first adjacent router 200 is the point closest to the source of the malicious attack and communicates the identity of the first adjacent router 200 to the central repository (Step 616), then the first interface converter 210 rate limits (Step 610) traffic traversing the first adjacent router 200 at the relevant ingress thereof, or simply discards packets relating to the malicious attack. This rate limitation or filtering of traffic continues until the analyser unit 304 no longer observes (Step 612) the suspicious network traffic, whereupon the analysis unit 304 monitors (Step 400) for more suspicious network activity. It is contemplated that rate limitation can be imposed to the extent that traffic from a particular source is blocked or effectively disconnected. Further, rate limiting is most effective if performed at the point closest to the source of the malicious attack, i.e. the source of malicious attack packets, since the sooner they are removed, the less resources are wasted carrying the packets through the network, although for particular operational reasons, the limiting may be performed at other points in the network as desired.
0] If the Internet Service Provider wishes to, and indeed is able to, the ISP can rate limit packets determined to be malicious to a level where the effects of the malicious packets are mitigated, but that still provides the master with the impression that the malicious attack is being successfully executed. Control traffic sent by the master 118 to the slave computers 110, 112, 114, 116 can be identified by re- programming an interface converter module nearest the master 118 to search or filter for specific traffic flowing between the master 118 and the slave computers 110, 112, 114, 116. A network administrator of the domain associated with one of the sources of the malicious attack can therefore monitor inbound traffic to try to determine the identity, i. e. the IP address, of the controlling master 118.
1] The above activity, described in relation to the first adjacent router 200, is also carried out by the first interface converter module 212 of the second adjacent router202. Indeed, all routers 102 in the communications network 100 comprising the enhanced network interface modules described above in relation to Figure 3 are capable of responding to the alert message generated by the alert generation unit 328 in the manner described above. Additionally, each router comprising the enhanced network interface modules is also capable of monitoring network traffic for suspicious network activity. Furthermore, it should be appreciated that whilst the above example only describes a single malicious attack, the above apparatus and method can handle multiple simultaneous detections of suspicious network activity.
2] As already described above, the communications unit 332 can be replaced by a control plane connection of a router. This implementation is of use, for example, for another embodiment (Figure 6), where the router, rather than the interface converter modules, provides the processing resource. In such circumstances, access is possible to routing tables of the router and the various facilities of the router, for example access to key configuration information through access to a central processor of therouter and/or access to the core of the router to request packets to be sent by the router to the upstream peer routers, the central repository, and to reverse engineer a path of a packet. In such an embodiment, existing inter-process communications mechanisms can be used, for example, the Simple Network Management Protocol (SNMP), Common Object Request Broker Architecture (COBRA), Java Remote Method Invocation (RMI) or Remote Procedure Calls (RPC) or any other proprietary protocols used to communicate inside the router.
0083] The above examples refer to a single ISP. However, in reality, the Internet comprises a number of administrative domains managed by different respective ISPs. Consequently, in another embodiment of the invention two or more ISPs collaborate to trace, in real-time, a malicious attack back as close as possible to the source of the malicious attack. Alternatively, access to the central repository can be shared between the two or more ISPs. This arrangement is particularly useful where ISPs do not want to grant direct third-party access to their respective systems or no inter-lSP agreement exists.
4] Whilst the above examples have been described in the context of packet communication, it should be appreciated that the term "packet" is intended to be construed as encompassing packets, datagrams, frames, cells, and protocol data units and so these term should be understood to be interchangeable.
5] Alternative embodiments of the invention can be implemented as a computer program product for use with a computer system, the computer program product being, for example, a series of computer instructions stored on a tangible data recording medium, such as a diskette, CD-ROM, ROM, or fixed disk, or embodied in a computer data signal, the signal being transmitted over a tangible medium or a wireless medium, for example, microwave or infrared. The series of computer instructions can constitute all or part of the functionality described above, and can also be stored in any memory device, volatile or non-volatile, such as semiconductor, magnetic, optical or other memory device.

Claims (17)

  1. Claims: 1. A monitoring apparatus for detection of a malicious attack in a
    communications network, the apparatus comprising: a datagram extractor arranged to procure, when in use, at least one datagram from a stream of datagrams traversing a network element; a datagram analyser arranged to identifying, when in use, a characteristic of a malicious attack from the at least one datagram; and an alert generator arranged to generate, when in use, an alert in response to an identification of the characteristic of the malicious attack.
  2. 2. An apparatus as claimed in Claim 1, wherein the datagram extractor is arranged to sample the at least one datagram from the stream of datagrams traversing the network element.
  3. 3. An apparatus as claimed in any one of the preceding claims, wherein the datagram analyser is arranged to analyse the at least one datagram to identify a value in a field of the at least one datagram, the value in the field being indicative of the malicious attack.
  4. 4. An apparatus as claimed in any one of the preceding claims, wherein the datagram analyser is arranged to analyse the at least one datagram to identify a traffic pattern or flow state indicative of the malicious attack.
  5. 5. An apparatus as claimed in any one of the preceding claims, further comprising a data store for recording one or more of the at least one datagram or one or more fragment thereof.
  6. 6. An apparatus as claimed in any one of the preceding claims, further comprising a back-trace initiator arranged to initiate a back trace in response to identification of the characteristic of the malicious attack.
  7. 7. A monitoring apparatus for detection of a malicious attack in a communications network, substantially as hereinbefore described with reference to the accompanying drawings.
  8. 8. A processing resource for a network element, the resource comprising the monitoring apparatus as claimed in any one of the preceding claims.
  9. 9. An interface card for a network element comprising the processing resource as claimed in Claim 8.
  10. 10. A communications system comprising the monitoring apparatus as claimed in any one of Claims 1 to 7.
  11. 11. A system as claimed in Claim 10, further comprising a back-tracer capable of tracing a datagram relating to the malicious attack substantially as far back as possible to a source of the malicious attack.
  12. 12. A system as claimed in Claim 10 or Claim 11, further comprising a suppressor arranged to prevent or reduce the number of datagrams emanating from the source of the malicious attack.
  13. 13. A system as claimed in Claims 11 or Claim 12, further comprising a control monitor for monitoring traffic communicated to the source of the malicious attack from a controlling source.
  14. 14. A system as claimed in any one of Claims 11 to 13, when dependent upon Claim 5, further comprising a central repository for storing the one or more of the at least one datagram or the one or more fragment thereof relating to the malicious attack.
  15. 15. A method of detecting a malicious attack in a communications network, the method comprising the steps of: procuring at least one datagram from a stream of datagrams traversing a network element; identifying a characteristic of a malicious attack from the at least one datagram; and generating an alert in response to an identification of the characteristic of the malicious attack.
  16. 16. A use of an interface card of a network element to detect a malicious attack in a communications network.
  17. 17. A method of detecting a malicious attack in a communications network, substantially as hereinbefore described with reference to the accompanying drawings.
GB0421148A 2004-09-23 2004-09-23 Monitoring for malicious attacks in a communications network Withdrawn GB2418563A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0421148A GB2418563A (en) 2004-09-23 2004-09-23 Monitoring for malicious attacks in a communications network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0421148A GB2418563A (en) 2004-09-23 2004-09-23 Monitoring for malicious attacks in a communications network

Publications (2)

Publication Number Publication Date
GB0421148D0 GB0421148D0 (en) 2004-10-27
GB2418563A true GB2418563A (en) 2006-03-29

Family

ID=33397117

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0421148A Withdrawn GB2418563A (en) 2004-09-23 2004-09-23 Monitoring for malicious attacks in a communications network

Country Status (1)

Country Link
GB (1) GB2418563A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014169677A1 (en) * 2013-04-15 2014-10-23 Tencent Technology (Shenzhen) Company Limited Method and device for extracting message format
US9621577B2 (en) 2015-05-28 2017-04-11 Microsoft Technology Licensing, Llc Mitigation of computer network attacks
EP3117320A4 (en) * 2014-03-11 2017-11-15 Vectra Networks, Inc. Method and system for detecting external control of compromised hosts
EP3314828A4 (en) * 2015-06-26 2018-12-19 McAfee, LLC Systems and methods for routing data using software-defined networks
US20190281081A1 (en) * 2013-11-22 2019-09-12 Huawei Technologies Co., Ltd. Malicious Attack Detection Method and Apparatus

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020101819A1 (en) * 2001-01-31 2002-08-01 Goldstone Jonathan S. Prevention of bandwidth congestion in a denial of service or other internet-based attack
WO2003014932A2 (en) * 2001-08-03 2003-02-20 Networks Associates Technology, Inc. System and method for providing passive screening of transient messages in a distributed computing environment
US20030074582A1 (en) * 2001-10-12 2003-04-17 Motorola, Inc. Method and apparatus for providing node security in a router of a packet network
WO2004070509A2 (en) * 2001-08-14 2004-08-19 Riverhead Networks Inc. Detecting and protecting against worm traffic on a network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020101819A1 (en) * 2001-01-31 2002-08-01 Goldstone Jonathan S. Prevention of bandwidth congestion in a denial of service or other internet-based attack
WO2003014932A2 (en) * 2001-08-03 2003-02-20 Networks Associates Technology, Inc. System and method for providing passive screening of transient messages in a distributed computing environment
WO2004070509A2 (en) * 2001-08-14 2004-08-19 Riverhead Networks Inc. Detecting and protecting against worm traffic on a network
US20030074582A1 (en) * 2001-10-12 2003-04-17 Motorola, Inc. Method and apparatus for providing node security in a router of a packet network

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014169677A1 (en) * 2013-04-15 2014-10-23 Tencent Technology (Shenzhen) Company Limited Method and device for extracting message format
US9589136B2 (en) 2013-04-15 2017-03-07 Tencent Technology (Shenzhen) Company Limited Method and device for extracting message format
US20190281081A1 (en) * 2013-11-22 2019-09-12 Huawei Technologies Co., Ltd. Malicious Attack Detection Method and Apparatus
US11637845B2 (en) 2013-11-22 2023-04-25 Huawei Technologies Co., Ltd. Method and apparatus for malicious attack detection in a software defined network (SDN)
EP3117320A4 (en) * 2014-03-11 2017-11-15 Vectra Networks, Inc. Method and system for detecting external control of compromised hosts
US9621577B2 (en) 2015-05-28 2017-04-11 Microsoft Technology Licensing, Llc Mitigation of computer network attacks
US9853998B2 (en) 2015-05-28 2017-12-26 Microsoft Technology Licensing, Llc Mitigation of computer network attacks
US10187422B2 (en) 2015-05-28 2019-01-22 Microsoft Technology Licensing, Llc Mitigation of computer network attacks
EP3314828A4 (en) * 2015-06-26 2018-12-19 McAfee, LLC Systems and methods for routing data using software-defined networks
US11916874B2 (en) 2015-06-26 2024-02-27 Mcafee, Llc Systems and methods for routing data using software-defined networks

Also Published As

Publication number Publication date
GB0421148D0 (en) 2004-10-27

Similar Documents

Publication Publication Date Title
US10587580B2 (en) Methods and systems for API deception environment and API traffic control and security
Srivastava et al. A recent survey on DDoS attacks and defense mechanisms
Hoque et al. Network attacks: Taxonomy, tools and systems
US7356689B2 (en) Method and apparatus for tracing packets in a communications network
US7984493B2 (en) DNS based enforcement for confinement and detection of network malicious activities
US8295188B2 (en) VoIP security
US10911473B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
US20200137112A1 (en) Detection and mitigation solution using honeypots
US20080301810A1 (en) Monitoring apparatus and method therefor
US11005865B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
Sieklik et al. Evaluation of TFTP DDoS amplification attack
Haris et al. Detecting TCP SYN flood attack based on anomaly detection
KR101219796B1 (en) Apparatus and Method for protecting DDoS
JP2006319982A (en) Worm-specifying and non-activating method and apparatus in communications network
CA2564615A1 (en) Self-propagating program detector apparatus, method, signals and medium
US20040250158A1 (en) System and method for protecting an IP transmission network against the denial of service attacks
Mandal et al. A survey on network security tools for open source
Tandon A survey of distributed denial of service attacks and defenses
Govil et al. Criminology of botnets and their detection and defense methods
Wibowo et al. Smart Home Security Analysis Using Arduino Based Virtual Private Network
Patel et al. A Snort-based secure edge router for smart home
GB2418563A (en) Monitoring for malicious attacks in a communications network
KR101003094B1 (en) Cyber attack traceback system by using spy-bot agent, and method thereof
Vidya et al. ARP storm detection and prevention measures
Pao et al. Netflow based intrusion detection system

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)