Get a Positive ID on DDoS Attackers, Part 1

Before Code Red, there was Distributed Denial of Service (DDoS). While

DDoS attacks have not been the attack du jour as of late, they are

still a strong threat to any network, providing the ability to cripple

even the highest-bandwidth providers. DDoS attacks are so threatening

because they are difficult to identify.

Once identified, it is just as difficult to defend against them.

Traffic filters are the best solution, but they must be manually

implemented and they often also block legitimate network traffic. The

distributed nature of the attack makes prevention virtually impossible

because you never know where the next attack will come from.

Mazu Networks Inc.'s TrafficMaster Inspector helps solve some of these

problems by providing a way to identify DDoS attacks in real-time on

large, high-speed networks.

While Inspector identifies DDoS attacks, it does not provide any

assistance in filtering the identified attacks. (Mazu Networks'

Enforcer gateway, due later this summer, will provide this capability.)

Inspector resides upstream at the core of the network infrastructure

and passively observes all traffic entering or leaving the network. It

can reside anywhere on the network, but works best near the first-level

routers, where it can directly monitor traffic to and from the Internet.

Inspector connects to the data path via a passive optical or copper

splitter, which introduces no latency into the network and performs

detailed analysis in real-time. Other DDoS solutions (from companies

such as Asta Networks and Arbor Networks) receive a sample of network

traffic from routers for analysis. Inspector sits directly on the

network connection and monitors all traffic, independent of the network

routers for packet information. One reason Mazu's solution is so

expensive (US$100,000) is that the company had to develop a product

that truly supported gigabit traffic levels.

Off to a good start

Overall, Mazu has a great start in developing a fast, efficient DDoS

solution. Its approach to separate monitoring and defense mechanisms

does not make Inspector an optimal solution on its own. If we have a

tool that helps identify a DDoS attack, we'd also like that tool to at

least recommend how to best defend against the current attack. We would

probably wait until the Enforcer component becomes available (Mazu says

Sept. 1) to provide a complete defense mechanism.


Inspector examines packets on different metrics defined by the

administrator and statistically determines whether an attack is

occurring. These metrics can include, but are not limited to, packet

size, source address, time to live (TTL) and payload.

For example, while attackers may spoof the source address on a packet,

they cannot make changes to other aspects of the packet, such as

payload. Inspector makes it difficult for an attacker to launch a surge

of network traffic without introducing an anomaly that it is able to

detect. This includes unusual variations or lack of variation in

payload, port numbers, TTL and other metrics.

Inspector has two main components: the probe and the cluster head.

Probes are individual sensors that can be distributed throughout a

network to capture and analyze traffic. (They support up to eight

Gigabit Ethernet links.) The cluster head is the master probe, or

central reporting device. All probes report to the cluster head, which

combines the data for a more thorough analysis and "big picture" of the


Within an Inspector probe, three main components are at work: user-

level Mazu module, Mazu Kernel module and Mazu device driver. The user-

level module is the brains of the product. It performs the packet

analysis looking for anomalies that could be DDoS attacks. The Kernel

module is optimized for rapid packet classification and routing to keep

any latency introduced by its presence to an absolute minimum. The

device driver optimizes packet processing, enabling Inspector to

quickly and efficiently capture packets off the network.

Initially, Inspector baselines typical network activity (which takes

about 30 minutes), documenting what is "normal" for the particular

environment. It learns and adapts over time to the unique patterns of

the network and is better able to separate legitimate increases in

traffic from spoofed traffic with malicious intent.

To help avoid false positives, Inspector includes user-defined

thresholds on up to eight aspects of the network traffic, including

protocol levels and traffic flow, to trigger alerts at the first signs

of possible DDoS attacks.

During testing, we launched a variety of DDoS attacks, and Inspector

successfully identified each. We also created a sudden increase in

legitimate network traffic to see if the Inspector could differentiate

between legitimate and attack traffic, which it did. The attack

information and characterization displayed in the Web-based reporting

were accurate and informative. Based on our lab testing, Inspector is

effective at analyzing network traffic and determining when DDoS

attacks are occurring.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon