Before Code Red, there was Distributed Denial of Service (DDoS). While
DDoS attacks have not been the attack du jour as of late, they are
still a strong threat to any network, providing the ability to cripple
even the highest-bandwidth providers. DDoS attacks are so threatening
because they are difficult to identify.
Once identified, it is just as difficult to defend against them.
Traffic filters are the best solution, but they must be manually
implemented and they often also block legitimate network traffic. The
distributed nature of the attack makes prevention virtually impossible
because you never know where the next attack will come from.
Mazu Networks Inc.'s TrafficMaster Inspector helps solve some of these
problems by providing a way to identify DDoS attacks in real-time on
large, high-speed networks.
While Inspector identifies DDoS attacks, it does not provide any
assistance in filtering the identified attacks. (Mazu Networks'
Enforcer gateway, due later this summer, will provide this capability.)
Inspector resides upstream at the core of the network infrastructure
and passively observes all traffic entering or leaving the network. It
can reside anywhere on the network, but works best near the first-level
routers, where it can directly monitor traffic to and from the Internet.
Inspector connects to the data path via a passive optical or copper
splitter, which introduces no latency into the network and performs
detailed analysis in real-time. Other DDoS solutions (from companies
such as Asta Networks and Arbor Networks) receive a sample of network
traffic from routers for analysis. Inspector sits directly on the
network connection and monitors all traffic, independent of the network
routers for packet information. One reason Mazu's solution is so
expensive (US$100,000) is that the company had to develop a product
that truly supported gigabit traffic levels.
Off to a good start
Overall, Mazu has a great start in developing a fast, efficient DDoS
solution. Its approach to separate monitoring and defense mechanisms
does not make Inspector an optimal solution on its own. If we have a
tool that helps identify a DDoS attack, we'd also like that tool to at
least recommend how to best defend against the current attack. We would
probably wait until the Enforcer component becomes available (Mazu says
Sept. 1) to provide a complete defense mechanism.
Inspector examines packets on different metrics defined by the
administrator and statistically determines whether an attack is
occurring. These metrics can include, but are not limited to, packet
size, source address, time to live (TTL) and payload.
For example, while attackers may spoof the source address on a packet,
they cannot make changes to other aspects of the packet, such as
payload. Inspector makes it difficult for an attacker to launch a surge
of network traffic without introducing an anomaly that it is able to
detect. This includes unusual variations or lack of variation in
payload, port numbers, TTL and other metrics.
Inspector has two main components: the probe and the cluster head.
Probes are individual sensors that can be distributed throughout a
network to capture and analyze traffic. (They support up to eight
Gigabit Ethernet links.) The cluster head is the master probe, or
central reporting device. All probes report to the cluster head, which
combines the data for a more thorough analysis and "big picture" of the
Within an Inspector probe, three main components are at work: user-
level Mazu module, Mazu Kernel module and Mazu device driver. The user-
level module is the brains of the product. It performs the packet
analysis looking for anomalies that could be DDoS attacks. The Kernel
module is optimized for rapid packet classification and routing to keep
any latency introduced by its presence to an absolute minimum. The
device driver optimizes packet processing, enabling Inspector to
quickly and efficiently capture packets off the network.
Initially, Inspector baselines typical network activity (which takes
about 30 minutes), documenting what is "normal" for the particular
environment. It learns and adapts over time to the unique patterns of
the network and is better able to separate legitimate increases in
traffic from spoofed traffic with malicious intent.
To help avoid false positives, Inspector includes user-defined
thresholds on up to eight aspects of the network traffic, including
protocol levels and traffic flow, to trigger alerts at the first signs
of possible DDoS attacks.
During testing, we launched a variety of DDoS attacks, and Inspector
successfully identified each. We also created a sudden increase in
legitimate network traffic to see if the Inspector could differentiate
between legitimate and attack traffic, which it did. The attack
information and characterization displayed in the Web-based reporting
were accurate and informative. Based on our lab testing, Inspector is
effective at analyzing network traffic and determining when DDoS
attacks are occurring.