Top Layer Filters Traffic

By Cameron Sturdevant  |  Posted 2002-04-08 Print this article Print

Top Layer Networks Inc.s Attack Mitigator Version 1.0 provides powerful protection from DoS and distributed-denial-of-service attacks on Web servers and other network infrastructure devices and desktop systems.

The Attack Mitigator is best suited for large organizations that need an extra layer of protection for their networks. It shouldnt be thought of as a firewall replacement. In addition, it doesnt defend as well when networks have more than one path to the Internet because it cant share packet-state information with a second Attack Mitigator appliance.

Acting like a burly bouncer at the door of an exclusive nightclub, the Attack Mitigator made short work of miscreant traffic eWeek Labs dished out from a combination of test tools, including TNF, Nmap and Nessus, while letting legitimate traffic pass. It also offers a range of protective services that helped our firewall and inside infrastructure run smoothly. The Attack Mitigator, which started shipping last month, does a remarkably good job of allowing "good" traffic through while dumping "bad" traffic off the network. Furthermore, its traffic filters monitor outgoing traffic, too, which means the product can prevent attacks from being launched from the protected enterprise.

The Attack Mitigator aptly handled a range of denial-of-service attacks during our tests, effectively protecting the test network from flood (Smurf, Fraggle), IP stack implementation flaws (Lan.D UDP Bomb), fragmentation attacks, address spoofing, and HTTP worms such as Nimda and Code Red.

This first version of the Attack Mitigator is a 1.5U (approximately 2.6-inch), rack-mountable Layer 2 switch with dual fans and dual power supplies. Our test unit, priced at $12,995, had two Gigabit Ethernet interfaces for even more traffic processing power. The Attack Mitigator also comes in a 12-port, 10/100M-bps configuration that is priced at $8,995. This configuration should provide adequate protection for all except the busiest and highest-profile networks.

The Attack Mitigator can be administered via a browser on a management network or by using Top Layers $995 SecureWatch software. Although the cost of the product is comparable to that of firewall products, it should be used in addition to them, not as a replacement.

The Attack Mitigators ability to sort the wheat from the chaff differentiates it from devices such as firewalls and operating system software patches that attempt to soften Syn floods by strangling all traffic, good and bad.

While this is one way to defend the network from Syn floods and myriad related resource-starvation attacks, it usually means extremely slow performance for legitimate users.

The Attack Mitigator provides this protection and performance through a combination of custom ASICs and locale—it sits at the edge of the enterprise network just after the router and in front of the firewall and other network devices such as Web and mail servers.

IT managers should be aware that the Attack Mitigator does not have hot-swappable power supplies and can be a single point of failure in the network because it must be used in-line to be effective.

In addition, the Attack Mitigator doesnt work in tandem to provide support for networks with more than one path to the Internet.

Layer 2 Speeds

The Attack Mitigator forwards packets only at Layer 2. Even under the heaviest attack loads that we generated using attack tools supplied by Top Layer and TNF (which is available on the Web), the product discarded traffic quickly enough that performance of legitimate traffic was barely affected. Using Microsoft Corp.s free Web Application Stress Tool, we continued to see about 457 page requests per second connected, even during attacks.

In contrast, without the Attack Mitigator, our unsecured Web server was knocked out in less than a minute under the same barrage.

The Attack Mitigator examines each packets HTTP Uniform Resource Identifier strings, packet sequence signatures, and, of course, source and destination data. In the case of a Syn, Smurf, Lan.D or Boink attack, the Attack Mitigator tracks the state of each Syn packet, which requires that the target system hold resources in a queue while waiting for a synchronization acknowledgement.

Using the Attack Mitigator settings, we could see traffic move from "trusted," where the packet is forwarded to the destination, to "suspicious," when too many connections from the same address are left open and the connection request is proxied by the Attack Mitigator. If a source IP address attempted to open more than 50 connections and those connections were still waiting to be completed, the address was moved to the "suspicious" category. The Attack Mitigator also tracks overall unfinished connections and starts to proxy all traffic until the flood subsides.

Packets were deemed to be "malicious" if the number of incomplete connections rose above 75. In our tests, the Attack Mitigator discarded these packets for 5 minutes.

We captured the discard packets from a specially designated management port, which is a very useful way for IT managers to gather forensic data on attacks.

All the configuration parameters were simple to change—perhaps a little too simple. IT managers should be sure to run the Attack Mitigator in monitor mode for at least a week before selectively turning on mitigation filters. We were able to stop nearly all traffic on our test network with just a couple of data entry errors.

Senior Analyst Cameron Sturdevant can be contacted at cameron_sturdevant@

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel