Riverhead out to dam off IP floods

MENLO PARK, CALIF. -- Start-up Riverhead Networks this week will announce plans to join the fight against distributed denial-of-service attacks with an offering the company says will let ISPs better defend corporate Web servers from IP floods.

Founded by a group of academics from Tel Aviv University, Riverhead's mission is to recognize and act on potential attacks as far upstream from the target as possible. This differs from both more passive ISP-based monitoring approaches and corporate network-based offerings.

The company's Detector appliances connect to ISPs' edge routers or switches and monitor traffic through techniques such as mirroring it. When a Detector recognizes an incoming attack - perhaps because a Web page is being requested hundreds of times per second - the device alerts Riverhead's Guard gear sitting in ISP data centers. Traffic is diverted to the Guard box, which filters out the attack traffic while allowing legitimate traffic back into the Internet path.

"It's not 100% perfect," in that some good traffic might be throttled back, says Boaz Elgar, the company's director of product management. But it would stop the "bad traffic," he says.

Company officials say the equipment, which also can work with existing intrusion-detection products, filters out more than a dozen known IP attacks, including bandwidth saturation flood, Trinoo attack and DNS attack. It can handle from a few hundred megabits to 1G bit/sec of traffic depending upon configuration, the company says.

Riverhead, which has international headquarters in Tel Aviv and U.S. headquarters in Silicon Valley, is backed by a number of investors, including Cisco, which is known also to be an investor in Arbor Networks, another anti-DDoS attack product vendor. Other start-ups in the field include Asta and Mazu Networks.

Arbor made news last week when it said its products have been selected by Canada's Telus in the first publicly announced anti-DDoS product rollout by a service provider (see related story, page 29). Currently, most ISPs handle DoS-related attacks in a relatively manual fashion, taking hours to determine the problem or waiting until an attack subsides.

While Riverhead did not have a big customer to tout last week, a few ISPs are testing its technology.

"We're using a single device in production to protect our Web site," says Eddie Rabinovitch, vice president of global network infrastructure at Cervalis, a managed services firm in upstate New York. "We plan to use it for our customers."

If a distributed DoS attack hits a customer's Web site today, the typical reaction is to simply "shut down the customer," Rabinovitch says. But a distributed DoS prevention service - which might cost between a few hundred dollars and a thousand dollars per month - could head off crippling attacks, he says.

Israeli ISP netVision also is said to be using the Riverhead gear.

PROFILE: RIVERHEAD NETWORKS Location: Tel Aviv, U.S. headquarters in Menlo Park, Calif. Founded: 2000 Founders: Yuval Rachmilevitz, CEO; Yehuda Afek, CTO; Dan Touitou, chief architect; Anat Bremler-Barr, chief scientist. Primary business: Equipment for ISPs to use to detect and prevent distributed denial-of-service attacks. Finances: $13 million from Sequoia Capital, Cisco, Intel, Gemini VC, Koor VC. Employees: 30 Fun fact: Internet pioneer and UCLA professor Leonard Kleinrock is an “angel” investor and one of six outside technical advisers.