Startup Preps Weapon for DDOS Attacks

While DDOS attacks have become more prevalent and more varied, users' defenses have changed little-shut off the flow of traffic, call your service provider and ask for filters, then hold your breath and hope it works.

While DDOS attacks have become more prevalent and more varied, users defenses have changed little—shut off the flow of traffic, call your service provider and ask for filters, then hold your breath and hope it works.

But a new breed of tool is being prepared to help enterprises thwart attacks by stepping away from simple packet analysis and taking a behavior-based approach to stopping insidious distributed denial-of-service assaults.

Startup security vendor Reactive Network Solutions Inc. next week will launch its FloodGuard software tool, which the company said will take much of the burden for DDOS defense off network administrators and security specialists.

The tool was designed to stop so-called Syn flood attacks and other DDOS techniques in which the IP addresses of the attacking machines are spoofed and routers, Domain Name System machines and other sensitive network gear are assaulted.

FloodGuard comes at a time when DDOS attacks, especially those targeting network infrastructures, are on the rise, experts say.

"The bottom line is there are a lot of interesting attacks that havent been widely used yet, but knowledge of them will not stay private forever," said David Dittrich, senior security engineer at the University of Washington in Seattle and an expert on DDOS attacks. "If enough compromised systems are involved or the attack traffic is of a particular type, routers can be affected, even though they are not the direct target."

FloodGuard comprises two components: detectors and actuators. The detectors sit downstream of the network bottleneck, viewing an attack as it happens. Once the software identifies an incoming DDOS attack, the detectors send a message to the actuators, which in turn communicate with the network routers and switches and instruct them to install filters to choke off the attack traffic.

The software can install the filters automatically or send an alert to the administrator warning of the incoming attack and suggesting a remedy.

And, unlike other anti-DDOS solutions, FloodGuard does not rely on a database of known attack signatures. Because packets sent during DDOS attacks can be encrypted or given a junk payload that throws off signature-based detection, Reactives software looks for unusual traffic patterns and packet behavior in relation to their protocols to identify attacks.

FloodGuard is not an inline device; instead, it uses network taps to read the traffic. It then communicates with the routers and switches on the network management interface, which is typically reserved for maintenance and other management tasks.

As damaging and frustrating as DDOS attacks can be, some administrators still see them as a minor threat in comparison with other problems.

"If I were a network administrator for a major Web site or search engine, probably I would see DDOS as a big threat," said Gary Moore, assistant dean for IS at Hofstra University School of Law, in Hempstead, N.Y.

But numerous Internet service providers report that up to 15 percent of their network activity at any given time is attack traffic, said Reactive officials in Redwood City, Calif. And those service providers are often unprepared to deal with the attacks, making it more difficult to analyze the assault.

"Victims and their upstream providers are often not prepared to gather packet traffic and analyze to tell what the actual targets are," Dittrich said. "Sometimes, they dont have Clue 1 what is hitting them. They just know that the network doesnt work."

FloodGuard, which will be available at the end of the month, will ship pre-installed on a Linux-based server. It will be announced officially at this months NetWorld+Interop show in Atlanta.

Reactive is not alone in taking the behavior-based approach to halting DDOS attacks. Okena Inc., of Waltham, Mass., at N+I will introduce Version 2.0 of its StormWatch product, which also eschews the signature-dependent method of attack detection in favor of its built-in Rules Engine, which allows administrators to create their own rules for the servers behavior. StormWatch, which was designed as a next-generation intrusion detection system, isolates attacks and stops the aberrant behavior as soon as it is detected.