Start-ups vie to defeat DoS attacks

Nobody's claiming it's easy to prevent and stop denial-ofservice attacks, but three security start-ups are vying to prove that they can minimize the threat.

If they succeed in developing monitoring gear to fend off denial-of-service attacks, businesses on the Web will benefit because ISPs today have little or no equipment that can automatically detect the serious denial-of-service IP floods that are slowing down or -- as Microsoft recently experienced -- completely paralyzing e-commerce operations. The start-ups -- Mazu Networks Inc., Arbor Networks Inc. and OneSecure Inc. -- are developing the kind of monitoring devices that help ISPs help their customers.

Based in Cambridge, Mass., Mazu this spring will be field-testing its yet unnamed denial-of-service monitoring equipment in ISP networks and in front of Web servers to sense the first signs of an attack and coordinate an automated response to filter "bad" traffic.

Mazu CEO Phil London says the monitoring devices are meant to stop distributed denial-of-service attacks, the devastating type of assault in which a single attacker can remotely control the launch of massive IP floods through agent "zombie" code installed on thousands of compromised servers on the Internet.

"The goal is to figure out what's 'good' traffic and 'bad' traffic," London says. "Our devices will be analyzing packets at line speed, gigabit speed." Based on a statistical model of traffic patterns, the Mazu equipment will be able to identify traffic characteristics of distributed denial-of-service attacks and communicate that information to the ISPs, Web-hosting centers or Web server owner via a private network or dial-up.

The devices will be able to take active response measures, such as filtering and tracing the attack, and gathering forensics, London says.

The gear is just going into field tests. It will be several months before Mazu, which has gotten $8 million in funding from Benchmark and employs 30, has test results to disclose.

Competitor Arbor Networks of Waltham, Mass., also hopes to help ISPs stop attacks. It has received $11 million in funding from Battery Ventures and Cisco Systems Inc.

The company is building Pentium-based monitoring equipment that will collect the output of Cisco and Juniper routers, but won't sit directly inline on the ISP networks in front of routers as a separate box, as the Mazu devices do, says Rob Malen, CTO of Arbor.

Capturing the data output that constitutes evidence of a denial-of-service attack is "a terribly manual process and it takes hours and days to do anything about it," Malen says. The Arbor equipment, expected in August, will be able to automatically detect, trace and filter "bad" traffic, says Ted Julian, chief strategist.

A third start-up, OneSecure, co-founded by Check Point Software Technologies Ltd.'s former chief architect, Nir Zuk, claims to have built an entire security network management package for ISPs. Its product is called the OneSecure Co-Management Platform and will be able to detect a denial-of-service attack and manage firewalls and VPNs.

"[Denial-of-service] attacks are getting worse every day," says Zuk, CTO at OneSecure. The Denver company also provides outsourced security through 30 engineers at its data center using the OneSecure platform. The cost is about $2,000 per month, per device.

Such gear sounds promising, according to Amir Moujtahed, an executive at Costa-Mesa, Calif.-based ISP Epoch, but it would need to undergo extensive testing before being deployed.

"We'd look at such ideas, test them in our lab and see if there's buy-in for them from other ISPs," says Moujtahed, who added that ISPs are eager to coordinate to deal with the threat.

This story, "Start-ups vie to defeat DoS attacks" was originally published by Network World.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon