Building Dams Against DoS Flooding

Captus enhances CaptIO to protect high-speed networks; Mazu's devices detect attacks at ISP level.

In the aftermath of the distributed denial-of-service attacks against several high-profile sites last year, dozens of vendors rushed into the vacuum that was the anti-DDoS software market and proclaimed they were working on products that will protect customers against these attacks.

Now, more than a year later, some of these vendors are finally preparing to launch their products and are giving security administrators hope that there may be a way to stop DoS events after all.

Two enterprises—Captus Networks Corp. and Mazu Networks Inc.—are taking different approaches to the problem of traffic floods and are preparing to launch their respective products in the coming weeks.

Captus this week at the NetWorld+Interop show in Las Vegas will roll out a series of enhancements to its CaptIO line of security devices that will enable the machines to protect against DoS attacks on high-speed networks. The CaptIO-G now comes with either 2G-bps or 3G-bps Ethernet ports to complement its firewall and intrusion detection system capabilities.

The CaptIO devices take a four-step approach to preventing DoS floods. It starts with each customer establishing policies for the volume of traffic it wants to allow into its network. If the device senses traffic exceeding that volume, it throttles the volume back to the predetermined level.

If the traffic is legitimate, the servers sending the information will see that acknowledgements are coming at a slower rate and will adjust output accordingly.

However, if the traffic is coming from spoofed IP addresses, as is usually the case in DoS attacks, the servers sending the traffic wont be waiting for acknowledgements and will fail to adjust their traffic. Consequently, the CaptIO device will deny any incoming packet from those addresses.

All of this takes less than a second, officials said.

Mazu, meanwhile, is preparing its own defense against DoS attacks. The companys devices are placed at ISPs (Internet service providers) and communicate directly with one another to supply administrators with a broad picture of network traffic.

The data is delivered via a GUI that breaks down traffic by protocol. Users can see the IP address of every machine on the network and inspect each packets raw content, said Dimitri Stratton Vlachos, a software engineer at Mazu, in Cambridge, Mass.

Once an attack is detected, the as-yet-unnamed software can trace the packets to each IP address and filter it accordingly.

Mazus gear is currently in beta and should be available this summer.

"We needed to get something that would give us some control over what happens beyond the edge of our network. We needed an eye out on the Internet, and thats what Mazu has given us," said Leia Amidon, principal security technologist at Logictier Inc., in San Mateo, Calif., a Web hosting and infrastructure provider that is hosting the 2002 Winter Olympics site. "We get a lot of information about whats happening out there, and that enables us to know whats legitimate traffic and whats not. We dont want to deny services to legitimate users for the sake of stopping an attack."