Mob Stoppers

New tools aim to thwart denial-of-service attacks

One the most aggravating internet security threats today is a distributed denial-of-service attack — a flood of bogus network traffic that can effectively shut down a Web site. Far from going away, the phenomenon is evolving in different permutations, but new tools are emerging to help Internet administrators fight this vexing problem.

DDOS attacks are the Internet equivalent of someone placing thousands of crank phone calls per second to your switchboard. Whatever the juvenile psychology that lies behind them, DDOS attacks have succeeded in felling the biggest sites on the Web, including those of Microsoft, Yahoo! and, more recently, the Computer Emergency Response Team Coordination Center at Carnegie Mellon University.

The conventional wisdom among security experts has been that such attacks are, at best, a chronic nuisance — and at worst, impossible to prevent completely, since they are unpredictable and are often difficult to distinguish from legitimate traffic. DDOS attacks use distributed "zombies" — computers that have been planted with an unauthorized piece of packet-generating code — to fire billions of packets at a site simultaneously, chewing up its available bandwidth and overwhelming its servers.

"Its not possible to prevent them," says Stefan Savage, chief scientist at Asta Networks, which sells a system of network devices for detecting denial-of-service attacks. "There are a whole set of industry guidelines for security that everyone should adhere to, but ultimately, people are going to take over machines and theyre going to launch these attacks."

But Asta and each of the vendors in the growing anti-DDOS category say that their products or services can stop DDOS attacks before they cause significant outages. Other companies in this space include Mazu Networks, which last month launched its TrafficMaster system to quickly identify and reduce the impact of such attacks, and Arbor Networks, which offers a service to detect attacks and filter out DDOS traffic.

Captus Networks has developed a family of networking devices, called CaptIO, that the company claims can detect and stop a DDOS attack in less than a second. The CaptIO system, which Captus says adds just 20 milliseconds of latency to network traffic and can handle gigabit-per-second throughput, automatically detects DDOS attacks in progress and is able to enforce on-the-fly policies to throttle back specific traffic flows. In addition, the Captus system can detect outbound traffic generated by zombies in a companys network that are being used as part of a DDOS attack against another site.

Because most DDOS attacks last no longer than 20 minutes, a dynamic, automated defense is the only way to successfully defend against them, says Richard Helgeson, Captus president and CEO. "Youre never going to have enough people to look at all the traffic and eliminate the false positives generated by intrusion detection systems," Helgeson says.

Can these new technologies really solve the problem? One recent victim of a DDOS attack is skeptical.

"Theres a lot of snake oil out there now," says Steve Gibson, an independent software developer whose Gibson Research Corp. site,, was on the receiving end of several DDOS attacks in May. "There are a lot of companies saying: We have these products that can stop denial-of-service attacks. But they cant. There isnt a solution."

But even though such DDOS attacks are not fully preventable, their effects can definitely be mitigated, says Bob Lonadier, director of security strategies at Hurwitz Group. "Were seeing a movement away from stopping the attacks, to incorporating them under the umbrella of overall threat management," Lonadier says. "You have to treat a denial-of-service attack as a threat, like viruses or any other threats to your security."

Now, however, a different problem with DDOS is emerging: the expense of the massive amounts of bandwidth consumed by such attacks. In fact, says Mazu CEO Phil London, a new kind of DDOS attack is designed not to cripple a Web site, but to fly under the radar in order to degrade its performance. "These attacks do have significant economic impact," London says. "Without an ability to detect and mitigate those, you overprovision your network and buy more bandwidth. Unfortunately, its easy to get into an arms race like that with a hacker."

Some Web hosting providers already take DDOS attacks into consideration. For example, Rackspace Managed Hosting has a policy of waiving charges for additional bandwidth used by a denial-of-service attack, says Richard Yoo, chief technology officer at Rackspace.

The larger issue surrounding DDOS attacks, Lonadier says, is that neither service providers nor their customers have taken ownership of the problem. "Right now," he says, "theres just massive finger-pointing."