MANAnet -- Infrastructure-level DDoS defense solutions for defending against Denial of Service attacks (DoS attacks)and Distributed Denial of Service attacks (DDoS attacks) on the Internet

MANAnet^TM: Infrastructure-level DDoS Defense

MANAnet Shield Product Sheets Publications Flash Demo

It is impossible to provide DDoS protection at an individual site with today's Internet. By the time a packet flood hits a victim, it is too late -- many of the packets of legitimate customers would already have been discarded upstream thanks to the congestion caused by the DDoS attack.

Denial of Service attacks are really a symptom of deficiencies in the Internet infrastructure. Solving DDoS attacks and other security and quality-of-service problems requires fixing the holes in the Internet infrastructure.

Cs3's patent-pending MANAnet Shield (MANA means "soul" or "essence" in the languages of the Pacific Islands) is a family of products and technologies that provide comprehensive, infrastructure-level defenses against both incoming and outgoing packet-flooding Distributed Denial of Service (DDoS) attacks on the Internet. MANAnet Shield incorporates both active, inline solutions and passive, off-line solutions.

MANAnet FloodWatcher is a passive, off-line device that monitors network traffic parameters, detects anomalies indicative of a DDoS attack, and alerts administrators with critical information to take remedial actions.

Several active, inline solutions are also available. DDoS attacks can be throttled at the edge of a network with the MANAnet product, Reverse Firewall^TM, which can be used by ISPs, Universities, and all owners of infrastructure. To allow customers to communicate with a site through incoming DDoS attacks it is necessary to have cooperation between the site and upstream infrastructure. Devices that accomplish such cooperation to combat incoming DDoS attacks include the MANAnet Linux Router and the MANAnet Firewall.

MANAnet FloodWatcher: Detection, Alerts, and Attribution of DDoS Attacks

Many customers prefer not to have additional active, inline devices within their networks. FloodWatcher provides such customers with a passive, offline solution. It monitors a network for anomalies related to packet flood attacks, notifies administrators about such discrepancies, along with accurate information about the source of the attack.

MANAnet Reverse Firewall: Choking Off DDoS Attacks at The Edge of Networks

Most DDoS attacks are launched from compromised computers (called "zombies") by attackers. The MANAnet Reverse Firewall stops DDoS attacks by not forwarding floods between the networks it separates. This patent-pending device regulates incoming and outgoing traffic from a network. It provides fair service to packet streams, and limits the rate of "unexpected" packets, those that are not replies to earlier packets in the other direction.

This provides great benefits to other customers of the local infrastructure, as well as to the Internet at large. And unlike intrusion detection tools that seek to ferret out known zombie signatures, the Reverse Firewall requires no updates as hackers become more sophisticated.

MANAnet Routers and Firewalls: Protecting Communications During Incoming Attacks

It is well known that defending against incoming DDoS attacks will take cooperation between the infrastructure and different sites. The MANAnet technology offers a systemic, infrastructure-level DDoS defense based on cooperation. Two products play a key role in defending against incoming DDoS attacks:

MANAnet Linux Router: It implements Path Enhanced IP, whereby a packet carries path data with it that cannot be forged. MANAnet routers provide "fair service" to incoming packets based on path -- a protocol called PLFQ. The MANAnet router also provides rate limiting by path to its nearest neighbors when they request it. Together, PEIP and PLFQ make the infrastructure work more robustly against DDoS attacks.
MANAnet Firewall: In addition to normal firewall functionality the MANAnet Firewall implements PEIP/PLFQ for DDoS defense. It also tracks "unexpected" incoming packets -- those that are not replies to earlier packets in the other direction. Such packets are served at a lower rate. The Firewall detects attacks, and can request its neighbor routers to rate limit by path when DDoS attacks are under way.

MANAnet DDoS Product Sheets

Additional detail on Cs3's MANAnet DDoS defense products can be found in the following product sheets:

[return to top]

MANAnet DDoS White Papers

The MANAnet philosophy of DDoS defense and its technologies are explained in the following white papers:

Towards a More Secure and Robust Internet describes the overall approach to DDoS defense that MANAnet embodies.
Changes to IP to Eliminate Source Forgery describes the motivations underlying PEIP, technical details, and how cooperative neighborhoods can be formed using such capabilities.
A Fair Service Approach to Defending Against Packet Flooding Attacks describes how PEIP can be used with Cs3's patent pending "fair service" scheduling to defend effectively against Distributed Denial of Service attacks on the Internet.
The Reverse Firewall: Defeating DDoS Attacks Emanating from a Local Area Network describes how the Reverse Firewall can work at the perimeter of vulnerable network segments, protecting both the legitimate customers of the local infrastructure and the Internet at large from DDoS attacks.

[return to top]