Specification

Method for Mitigating a DoS Attack

A method for mitigating a DoS (Denial of Service) attack along with a network suitable for carrying out the method is described.

A DoS attack is done with the intent of breaking down a net- work or a server by flooding it with useless traffic. A DoS attack can be launched from a large number of compromised workstations in a synchronized fashion, so that every single workstation sends useless traffic to the same target. When the target is flooded with this traffic, it usually cannot handle it because the link connecting it to the internet becomes overloaded. This means that legitimate requests have a much higher chance of being dropped, since the server or link is fully overloaded.

One objective to be achieved lies in providing a method for mitigating DoS attacks. Another objective to be achieved lies in providing a network suited to mitigating DoS attacks.

A method for mitigating a DoS attack in a network is pre- sented, whereby

- a network element affected by the attack sends a notice of attack to a second network element,

- the second network element transmits an ACL, said ACL containing instructions denying traffic from the source of the DoS to the the affected network element, to a further network element,

- the instructions of the ACL are implemented at the further network element,

- the further network element lies logically closer to the source of the DoS than the second network element.

The ACL (Access Control List) is an example of a preferably used filter that provides instructions to a network element to deny traffic from a source with a certain destination. Other filters readable by network elements containing instructions to permit or deny transmittal of network traffic may however also be used.

The notice of attack preferably contains at least the iden- tity of the affected network element. The identity may comprise an IP address.

According to a preferred variation of the method, the further network element is a network element nearest to the source of the DoS attack. This nearest network element may be a part of the ISP's network to which the affected network element belongs or it may be a network element belonging to another network .

With this method, it becomes possible for an ISP (Internet

Service Provider) to place merely basic hardware on its client's network elements that, for example, automatically inform their NMSs or neighbouring network elements of the attacks taking place. DoS attack detection equipment installed on a client's premises will be less expensive compared to hardware placed on the ISP's internet backbone since the hardware on the client side need analyse only a fraction of the traffic that passes through the ISP's internet backbone.

In the case that the further network element nearest to the source of the DoS attack belongs to a network different from that to which the affected network element belongs, the second network element communicates with the nearest relevant network element, i.e. a network element which is closer to the source of the attack. The location of the relevant near-

est network element is done via the routing tables of the second network element. The implementation of the instructions can be carried out at any network element, provided the network element supports the proprietary protocol that will be needed.

The method is facilitated by the second network element and/or the further network element comprising a router. Routers have the advantage that they are more likely to com- prise hardware useful for processing the ACL messages.

Routers also have the advantage that they are set up to know the position of routers belonging at least to the ISP domain to which they belong.

The further network element may also comprise a network interface such as a port.

According to one realisation of the method, the second network element is linked to an NMS (Network Management System) . This has the advantage that the NMS can retrieve the notice of attack from the affected network element and can construct an ACL, which it then transmits through the second network element. As the NMS will have a comprehensive overview of network topology, it can apply the ACLs to routers along the shortest path down to at least the border or border network element of the ISP domain to which it belongs.

The NMS can construct the ACL based on the content of the notice of attack from the affected network element together with further details regarding the source of the attack to which the NMS has access.

According to another possible realisation of the method, the notice of attack itself may comprise an ACL with instructions to deny traffic from the source of the DoS to the affected

network element. In this case, the ACL may be transmitted from the affected network element directly to a router, the router being the second network element, for example. The second network element then passes on the ACL to the further network element. The handling of the ACLs by the router is preferably facilitated by a protocol that enables recognition of ACL data packet transmissions. In particular, the protocol may be a negotiation and routing protocol.

The ACL thus originating directly from an affected network element preferably contains information relating to the source and destination of the DoS attack network traffic, so that individual clients of an ISP using an affected network element are given the possibility of enabling their individ- ual filters on the ISP's network to which they belong. With this method, calling in the work of an NMS can be avoided, thereby saving resources and accelerating the method for mitigating the DoS attack.

In a preferred realisation of the method, the second network element divides the ACL into a plurality of ACLs each with a different further network element as their respective destination. Thus, the network elements arranged in the path leading from the source of a DoS attack to the affected network element will receive instructions to deny traffic only from that particular source. Network elements arranged in another path leading to the affected network element, such as one stemming from a different DoS source, will receive another ACL divided out of the original. The division is made depend- ent on the instructions contained in the ACL. It is noted that for every network element affected by a DoS attack, there may be a large plurality of sources for the DoS attack.

Along with the method for mitigating a DoS attack in a net- work, a network is proposed, comprising:

- a network element with means for constructing and transmitting an ACL,

- a further network element comprising means for implementing the instructions of the ACL, wherein - the network elements further comprise means for communicating the ACLs to each other based on the mechanisms used by a routing protocol.

One mechanism used by a routing protocol would for example be an LSA, a Link-State Advertisement providing a description of a router' s local routing topology that the router distributes to other routers .

Here, the network element with means for constructing and transmitting an ACL can be considered to be the affected network element and/or the second network element named as such for the method.

In particular, the means for implementing the instructions of the ACL include hardware specifically designed to process an ACL.

With the following examples and drawing, the described methods and network are further elaborated upon, whereby:

Drawing 1 shows a network suitable for carrying out a method for mitigating a DoS attack.

Drawing 1 shows a network comprising a plurality of routers rA to rE belonging to an ISP ISPa and clients connected to the said routers, either directly or indirectly. Client clA is a client of ISPa and is linked to a nearest router rA, whereas client clB is linked only indirectly to router rB and clients clC and clD are both linked only indirectly to router rC . The indirect links are via networks Nl and N2.

The clients clB to clD may, for example, be clients of another ISP or members of a plurality of ISPs.

Each client clA to clD can be considered to comprise a network element such as a server.

Denying traffic from a DoS attack source, such from clients clB, clC and clD, may begin with an NMS of the ISP ISPa being informed of a DoS attack underway on a server of its client clA. The affected client clA can inform the NMS of ISPa of the attack by means of a third party tool or application to communicate with ISPA' s NMS. Such a third party tool may take the form of a DoS detection system or a system detecting data flow anomalies.

Since the detection of the DoS attack lies within the responsibility of the ISP's client, the filters or ACLs built by the ISP's NMS upon receiving information about a DoS attack are related to the IP addresses of its clients raising the alarm, in this case client clA, and not to other IP addresses .

The NMS then downloads the DoS attack details from the source that was providing them, in this case client clA. The download is preferably achieved by a third party tool or by an operator.

For example, the DoS attack details from the client clA could state that traffic from the IP addresses of the sources clB to clC was causing the attack on a port X of its server. Although Drawing 1 only shows sources clB, clC and clD, it is possible that thousands of different IP addresses could be sources for the DoS attack.

Upon downloading the information from the client clA relating to the sources of the DoS attack, client clA' s provider' s NMS builds an ACL that permits all the internet traffic with the exception of the traffic coming from the sources of the DoS attack to pass through to the client clA.

Next, the NMS applies the newly constructed ACL to the port that is closest to the traffic of the DoS attack. Referring again to drawing 1, the closest ports to the origin of the DoS attacks would be the ports of routers rB and rC . Although network elements on the side of the networks Nl and N2 would be closer, a routing table may only contain information relating to a next logical network element, such as a so-called "hop", meaning that the full path from one network element to another may not always be defined. Thus, the communication of the ACL is preferably done hop by hop.

Where an ISP runs IGP (Interior Gateway Protocol), for example IS-IS (intermediate _S_ystem to intermediate _Sy_stem) or OSPF (Open ^Shortest ^Path ITirst) inside its autonomous system, the application of the newly constructed ACL to the said ports is easily accomplished. IS-IS is an IGP used within an administrative domain or network, also known as an Autonomous System (AS) , and generally not for routing between networks or administrative domains, a job which could be undertaken instead by an EGP (Exterior Gateway Protocol) . Specifically, IS-IS is used by network elements such as routers to determine the best way to forward datagrams or packets through a packet-based network in a routing process. When running IGP, every router rA to rE inside the ISP's autonomous system is aware of every other router, as well as how to reach a given IP address. With this information, an NMS can easily download the network topology from only one of its routers rA to rE and calculate the network elements, preferably ports, to which the ACLs should be applied. The NMS thus spreads the

filters (ACLs) by the various routers. The order in which this is done is preferably set by the arrangement of network elements that are on the shortest path to the sources of the DoS attack.

Since the link connecting an ISP to one of its clients might be overloaded due to a DoS attack, an outband link to the router can be used to inform the ISP's NMS of the attack. An outband link, also known as an out-of-band link, is a link that does not use the bandwidth of the primary link. It may be a fibre employed merely for this purpose or it may be a connection via a dial-up modem in such a manner that the router has a port which has a modem attached to it, for example .

The method is easily implemented since the links connecting an ISP to the Internet are often capable of carrying a much larger bandwidth than the links connecting its clients to the ISP's network. Since the links of the ISP to the Internet have a much higher bandwidth, it's likely that a DoS attack that affects an ISP's client with a link of lower bandwidth would not affect the ISP itself.

Furthermore, with this method, an ISP can offer its clients cheaper DoS attack detection tools and equipment that inform their NMSs that an attack is taking place.

Apart from having the NMS analyse the network and spreading ACL filters by various routers to origins of DoS attacks, a method for transmitting the ACLs between the various network elements without the help of an NMS is proposed. In particular, a protocol enabling transmittal of ACLs between different network elements, in particular routers, is proposed.

Referring again to Drawing 1, router rA of ISPa is informed by a router of one of its clients clA that it wished to propagate an ACL regarding the client's autonomous system networks, due, for example, to the detection of a DoS attack, whereby it is noted that ISP clients usually have their own autonomous system created by the ISP, which divides a larger network into several smaller networks in a process called subnetworking . Since the content of the ACL would be the responsibility of the ISP's client, the ACL being propagated can be related to the IP address (es) of the client clA and not to other IP addresses. In this case the ACL (s) being propagated could contain instructions to block traffic that is directed towards the IP address (es) corresponding to client clA.

After this, router rA propagates the ACL to all the routers that are in the path of any of the IP addresses mentioned in the ACL.

It is also possible for the router rA to subdivide the ACL, so that only the relevant instructions of the ACL are transmitted to the appropriate routers and implemented there. For example, when a router detects that it is directly connected to one of the networks mentioned in the ACL, it applies the ACL to the corresponding port receiving the traffic from that network .

The protocol enabling subdivision of the ACLs could function according to the following manner: referring to Drawing 1, an ACL contains instructions denying traffic coming from clients clB and clC. According to the routing table known to the router rA, the next hop for clB could be an IP address IPb and for clC the next hop could be an IP address IPc, whereby a hop is considered to be the next network element directly connected, in this case, to rA. Thus, the router rA can sub-

sequently divide the ACL into two ACLs, and send the instructions for clB only to the IPb network element, and the instructions for clC only to the IPc network element.

A protocol based on the above method has the effect of pushing the ACL rules closer to the source of a DoS attack, in an automated fashion, so that DoS attacks can be quickly resolved and network resources optimised due to the traffic being dropped before it is routed throughout the network.

The method making use of network elements such as routers spreading the ACL (s) is extendable to the whole internet. For example, when a workstation begins a DoS attack, the attack would sooner or later be blocked at the very same port the workstation is connected to. Although it may not be the same physical port of the workstation, it may very likely lie within the same L3 network.

It is proposed also to clear the ACL rules as soon as they are no longer needed, that is, as soon as a detected DoS attack has ceased. In the case where an NMS is used to spread the ACLs, the clearing of the ACL rules can be done manually by analysing traffic reaching the ISP's router's ports.

The clearing process can however be automated in the router protocol version of the method. If, for example, for a given amount of time no traffic pertaining to a rule in an ACL is applied to a network element, that rule is disabled at that network element and the modified ACL is propagated backwards, to the router from where it came. This inverse process takes place until the initial router has been reached.

List of Abbreviations:

Nl first network

N2 second network clA client under DoS attack clB first source of a DoS attack clC second source of a DoS attack clD third source of a DoS attack rA first router of an ISP ISPa, closest to clA rB second router of ISPa rC third router of ISPa rD fourth router of ISPa rE fifth router of ISPa