By Ellen Messmer
Network World, 09/24/01
Combating distributed denial-of-service attacks is one of
the most difficult network security problems. So start-ups that claim to have
DDoS attacks licked tend to be greeted with skepticism.
Within the last three months, four companies - Arbor Networks,
Asta Networks, Captus Networks and Mazu Networks - have started shipping equipment
to fight DDoS attacks. The companies claim to be able to identify such attacks
and help users take steps to stop them.
Advertisement:
|
|
Hackers launch DDoS attacks by installing "zombie" code
on numerous compromised servers, using readily available freeware tools. The
code lets the hackers use those servers to launch a blitzkrieg of packets
to the victim's site. That's what the teenage Canadian hacker Mafiaboy
did a year and a half ago when he single-handedly unleashed DDoS attacks on
Yahoo, Schwab, Amazon.com, eTrade, CNN.com and other Web sites during a week-long
spree.
To date, combating such attacks has required network engineers
at ISPs and Web server farms to spend hours manually analyzing traffic logs,
trying to filter out the "bad" attack traffic from the "good," legitimate
customer traffic. The four start-ups claim their equipment can automate this
chore and provide a timely response to thwart attacks.
Are we saved at last?
Not yet. Even if the equipment from the start-ups works as
advertised, none of the gear is as yet deployed in ISP networks or Web hosting
centers where it would help their customers. And there's only scant evidence,
most of it anecdotal, that any of the products work as advertised.
"I'm
skeptical," says Marcus Ranum, NFR Security's CTO, and the
security guru who invented the first commercial firewall and some
of the earliest intrusion-detection equipment a decade ago. Besides,
he says, "detecting DDoS isn't hard - your Web site is down!"
The trick is sensing a DDoS attack early enough and automating
the response so you have a chance of surviving it. None of the four vendors
have yet proven their equipment can do this, although they are making "ridiculous
claims" based on their own lab tests, Ranum says.
Gartner security analyst John Pescatore agrees it will take
real-world trial by fire for the start-ups' equipment to gain credibility.
To Top
Making anti-DDoS work
The Arbor, Asta and Mazu equipment is somewhat similar
in design. Each vendor's appliance is directly attached to or
sits in front of a router or switch. The devices are intended
to be positioned at various high-traffic points in the network,
including ISP network access points and in front of high-volume
Web servers. The appliances monitor and analyze traffic and can
recognize packets that are part of an incoming DDoS attack, the
vendors say. They can also suggest ways the ISP's routers can
filter out the packets.
To Top
 |
|
Questions to ask Anti-DDoS vendors
Does the equipment seek to counter distributed denial-of-service attacks or just plain old DoS attacks?
Can it differentiate good network traffic from bad?
How automated is the response to the DDoS attack?
|
|
The Captus gear likewise finds and filters out DDoS traffic,
but it doubles as a high-bandwidth firewall. As such, it sits toward the Internet's
perimeter, typically at Web hosting sites and large user locations.
The Mazu equipment, called TrafficMaster Inspector for DDoS,
is under test at Equinix, the Mountain View, Calif., firm that manages six
network access points for peer-to-peer Internet connections by ISPs, telecom
companies and large corporations.
Equinix has a parallel network that carries duplicated traffic
for experimental purposes, such as testing anti-DDoS equipment with customers.
These customers include AT&T, WorldCom, Level 3, Qwest, Williams and Akamai,
in addition to hosting companies IBM and SiteSmith. Yahoo and Schwab - enterprises
large enough to maintain their own peering point at Equinix - are also involved
in the anti-DDoS tests.
"[TrafficMaster] can recognize a DDoS attack," says Jay
Adelson, Equinix founder and CTO. He is not yet convinced that the Asta equipment,
which he has also been testing, can do this.
Just identifying DDoS attacks doesn't sound too difficult,
but it's critical to be able to differentiate a DDoS attack from
a traffic surge caused by something such as "putting the
Monica Lewinsky papers online," Adelson says.
To Top
What Mazu has accomplished "represents a breakthrough,"
to the problem, Adelson asserts. "After years of research, it's like a
white paper on DDoS turning into real life."
However, Equinix
hasn't completed the required tests to find out whether the Mazu
gear can reliably recommend a response to a DDoS attack.
Anti-DDoS equipment is under test on at least two other networks,
with results similar to those at Equinix: encouraging but inconclusive. Asta's
Vantage System is at work on Internet2, the university-backed research network
managed at Indiana University. Merit Network in Ann Arbor, Mich., is testing
Arbor's Peakflow DoS equipment.
Peakflow can't always differentiate a DDoS attack from the
occasional megabyte file transfers that the scientific community may indulge
in, says Jeff Ogden, Merit's associate director for high-performance networking.
But the Arbor gear has made a big difference for Merit's network engineers
by quickly detailing the source of traffic surges and suggesting filtering
processes.
"These procedures help alert the engineers to what's going
on, " Ogden says, whereas previously they were much more in the dark.
Related links:
DDoS
research page
DoS breaking
news
Fighting
DDoS Network World Security Newsletter, 08/29/01
Get
a positive ID on DDoS attackers Network World, 08/27/01
McAfee
to fight DoS with Asta, Mazu and Arbor IDG News Service, 08/20/01
Other Signature
Series editions
