Alliance Takes on DDoS

Recent threats such as the Code Red and Leave worms are proof that virus writers and hackers are pooling resources to produce hybrid weapons that can cause tremendous damage.

Now, a group of security companies is following suit, hoping that by combining their efforts, theyll be better able to combat the new, sophisticated attacks.

McAfee, a division of Network Associates Inc., this week will announce a research and development partnership with three anti-DDoS (distributed-denial-of-service) vendors—Arbor Networks Inc., Asta Networks Inc. and Mazu Networks Inc.—with the goal of developing innovative technologies and techniques to detect and prevent DDoS attacks.

The alliance, a first among the normally isolationist security vendors, will involve the member companies exchanging research—as well as researchers—in an effort that officials said is just the beginning of a far-reaching initiative.

The long-term goal of the partnership is to develop and deploy a solution that will enable Internet service providers and data centers to identify when their networks are under a DDoS attack and also to discover and eliminate the “zombies” that attackers use to launch their assaults.

“Our research shows that there are tens of thousands of machines out there infected with Trojans,” said Vincent Gullatto, senior researcher at McAfee, in Santa Clara, Calif. “We anticipate this problem will only get worse, especially since people seem to be resistant to updating their systems for some reason.”

In the meantime, McAfee will announce this week that it has added to its Active Virus Defense product the capability to scan for and eliminate zombies. Anti-virus software typically scans SMTP traffic for e-mail-borne viruses. McAfees product will now monitor incoming and outgoing HTTP traffic for signs of a DDoS attack.

Arbor, Asta and Mazu were formed in the wake of last years spate of DDoS attacks against several high-profile Web sites. Their products work by scanning incoming network traffic and searching for signs of packet floods.

The prospect of products combining anti-virus and anti-DDoS technology holds broad appeal for enterprise network administrators.

“Thats something we would definitely be interested in. We could sure use it,” said Joseph Dalessio, network manager at Major League Soccer LLC, in New York. “Weve taken a proactive approach, so we havent had too many negative experiences, but you never know whats out there. You have to be very conservative and paranoid.”

For the anti-DDoS vendors, the partnership with McAfee is a golden opportunity to show that their nascent solutions can detect and shut down these attacks before they cripple corporate networks.

“Their zombie detection technology is a great fit with our products, and well be able to send alerts to their product that a system is sending or receiving an attack so that they can point their scans to that part of the network,” said Ted Julian, chief strategy officer and co-founder of Arbor, in Waltham, Mass.

And the researchers said theyre already making some headway in their work. “Were making some progress against the Code Red-type worms,” said Steve Purpura, senior program manager at Asta, in Seattle. “This will help us understand how hackers are indexing these vulnerabilities and how to stop them.”

Also on the horizon at McAfee is a technology, code-named Stinger, designed to identify programs such as Code Red through the use of advanced scanning and filtering.

For example, Stinger will be able to filter Internet Server API calls and perform memory scanning. Users will also be able to configure TCP/IP ports manually and receive alerts about anomalous network activity.

Stinger should begin making its way into McAfee products in March and will continue to be integrated into the product line throughout the first half of next year.