All-in-one security tool
DDoS (Distributed Denial of Service) attacks are a rapidly growing problem for many network administrators. Attackers can easily launch crippling attacks from hundreds or even thousands of compromised hosts, making the attacks difficult to pinpoint and to defend against. Niksun Inc.'s NetDetector can alert network administrators to DDoS attacks and help them identify the sources and type of the attacks.
NetDetector is a network surveillance appliance for IP networks. It captures and records all packets, analyzing them for possible intrusion attempts and storing them in case they are needed for a forensics investigation. NetDetector continuously copies data from the network, time-stamps the recorded data, analyzes every packet, detects the activities of intruders, sets alarms for real-time alerting, and gathers evidence for post-event analysis and legal prosecution.
Although NetDetector is a powerful analysis and forensics tool, other products on the market may provide more help against DDoS attacks. With NetDetector, administrators still have to analyze traffic for the type and source of the attack. This process can take several hours, which may cost an organization thousands -- if not millions -- of dollars. Focused DDoS solutions, such as Asta Networks' Vantage, perform this analysis for you in a fraction of the time and even recommends defense strategies.
NetDetector can prove valuable not only for DDoS attacks but also for overall network surveillance. Its intrusion-detection capabilities and packet recording make attack analysis a simple process. Investigators can analyze the recorded packets to see what happened during the attack and which systems were targeted. By focusing this analysis and the subsequent recovery process, organizations can save time and money. Starting at $15,000, NetDetector is less expensive than some of the other DDoS solutions and deserves consideration.
NetDetector has four main elements: the Traffic Recorder, the Query Processor, the Alerter, and the Web GUI. The Traffic Recorder collects all of the traffic from the network interfaces and places it in permanent storage. The Query Processor analyzes the traffic once it has been recorded to respond to queries by the Alerter or by a user performing an ad hoc analysis. The Alerter is a background process that calculates traffic statistics to detect traffic anomalies and thresholds and alert administrators when problems are identified.
NetDetector can alert an administrator when a potential DDoS attack is under way. After establishing typical network loads and traffic volumes, administrators can have NetDetector monitor incoming traffic from the ISP and send alerts when the defined thresholds are exceeded.
Setup and configuration of NetDetector is simple. Administrators turn on the device, configure the network settings, and the tool is ready to go. To test DDoS attacks, we configured a traffic threshold alert and launched an attack that exceeded that threshold against a system on the test network. NetDetector sent us an e-mail alert telling us about the possible attack. We then examined the packets to find the source of the attack.
NetDetector takes a three-step approach to DDoS attacks. First, using a Web interface, the administrator establishes policies for the traffic volume on the network. These can be based on historical data or on statistical analysis available from the Traffic Recorder on the NetDetector. Second, when NetDetector detects traffic exceeding the defined thresholds, it alerts the administrator via e-mail, screen alert, or SNMP trap. Third, an administrator can verify and investigate the attack using NetDetector's Traffic Analysis screen. The administrator can determine exactly what type of traffic is being launched against the network (such as UDP packets on port 80) and take appropriate action to defend against the attack.
In addition to its DDoS capabilities, administrators can establish alerts for almost any type of network connection and can monitor for IP address spoofing, port scans, host scans, and even unknown protocols. NetDetector can also be used to implement corporate policies. If the organization has a policy prohibiting large e-mail attachments, NetDetector can monitor SMTP traffic for large attachments. The same monitoring can be used with FTP connections.
Another option is to control Web connections. If your organization needs to control network bandwidth and utilization and wants to set a maximum number of open Web connections per employee, NetDetector can watch for this. Because it records all traffic, NetDetector is only limited by your creativity in creating alerts.
To test this feature, we configured the system to alert us whenever a port scan was detected. We then ran a port scan against a machine and received the e-mail alert we had requested. We also used the application reassembly feature to see the network traffic our port scan created. NetDetector allows you to play back the session of any TCP application (including SMTP, FTP, Telnet, and HTTP).
NetDetector is a versatile network analysis tool that can alert you to threats ranging from intrusions to DDoS attacks. It reduces investigation time for network and system attacks and should be considered for any environment under constant attack.
|THE BOTTOM LINE: CONSIDER|
|Business Case: This network appliance helps defend against DDoS attacks that could result in countless hours of network downtime or millions of dollars in lost e-business revenue.|
|Technology Case: NetDetector alerts network administrators to possible DDoS attacks and records the network traffic data necessary for identifying the type and source of the attacks.|
+ Records and stores all packets for analysis and investigation
+ Easy to integrate into existing infrastructure
- Does not provide attack analysis
- Does not make defense recommendations
- Has potentially time-consuming process for defining thresholds and alerts
|Cost: Starts at US$15,000|
|Platform(s): Stand-alone appliance|
|Company: Niksun Inc.; www.niksun.com|