• United States
Neal Weinberg
Contributing writer, Foundry

Attack Mitigator

Mar 23, 20043 mins
Intrusion Detection SoftwareNetwork Security

* The Reviewmeister test drives rate-based IPS products

Intrusion prevention is a hot product area these days, so the Reviewmeister test drove a couple of  rate-based IPS products.  Rate-based means that the products block traffic based on whether the amount of traffic exceeds pre-determined rates.

More specifically, we looked at these questions:

* How does the product let you define what traffic to control and set the limits?

* How can you define policy on the IPS regarding what it should do when limits are exceeded? How well does it execute that policy?

* What does it offer in terms of tuning and discovery tools?

* What does it offer by way of management wares?

* Are there content-based IPS or basic firewalling included?

Attack Mitigator IPS from Top Layer quickly moved to the top of the heap because of its comprehensive tools for managing multiple kinds of distributed denial-of-service attacks.

Rate-based IPS devices must provide detailed control of traffic flow. Tuning the IPS means telling it which traffic to look at and what the limits are on that traffic. We discovered wide variations in product capabilities and in how much you must know about your network to use them.

Attack Mitigator lets you define what applications and servers you want to protect, usually by identifying a combination of source and destination IP addresses, along with source and destination port and protocol. In most cases, either the source or destination address will be a wildcard (indicating “the Internet”). For example, you might limit queries to your DNS server to 1,000 per second. Simple rules covering bandwidth and connection limiting (often called SYN flood protection) are something you can do in any rate-based IPS.

In terms of providing sophisticated rate controls, Attack Mitigator IPS maintains knowledge of connection state for traffic flowing through it. While other products can detect floods of traffic or connection requests, Attack Mitigator can tell whether connections are being built up slowly on a protected server. That intrusion technique, common in denial-of-service attacks, could slip by the other products.

Other products offer the ability to block or limit traffic, but Top Layer adds a third option: connection proxying. This lets the Attack Mitigator protect systems before they are overwhelmed. In addition to limiting the number of connections, you can set thresholds for incomplete TCP connections that indicate suspicious behavior. Once these limits are surpassed, new connections will be proxied by the Attack Mitigator. If the connection completes, then Attack Mitigator passes the connection to the actual server. If things get worse, Attack Mitigator will start blocking all connections from malicious attackers.

When it came to management, Top Layer, with its device-based Web configuration tool, was modest in its presentation. Top Layer let us configure a single IPS quickly and without confusion. The downside is that Top Layer’s management tool is an element-based configuration utility and as such won’t scale if you wanted to manage multiple devices. The vendor’s optional SecureWatch tool aggregates and displays statistics from multiple devices, but that’s as far as it goes.

With a clear focus on the problem of denial-of-service and distributed DoS attacks, Top Layer brings together all the tools needed to protect against the widest variety of intentional and unintentional problems.

For the full report, go to