With Infrastructure-level Solutions
|
Cs3 Attacks Denial of Service Threat With Infrastructure-level Solutions |
DDoS Attacks Can Only Be Stopped at Infrastructure Level, says Cs3 Founder
LOS ANGELES -- Last year, a four-hour Distributed Denial of Service (DDoS) attack on popular sites such CNN, Yahoo! and eBay caused an economic impact estimated at $1 billion, according to The Yankee Group. They weren't alone. DDoS attacks have since disrupted the sites of Microsoft, the FBI, and even the Computer Emergency Response Team (CERT), the Internet's leading security watchdog. CERT is an important agency for passing information on the latest vulnerabilities in computer systems among security experts. The Denial of Service attack flooded the center's Web site with data requests and made the site -- and its crucial security advisories -- almost impossible to access for more than 24 hours.
A recently published study claims at least 4,000 Denial of Service (DoS) attacks are launched by hackers each week. The FBI's National Infrastructure Protection Center has sent out an advisory urging online administrators to be on the watch for increased attacks.
In a Denial of Service attack, streams of seemingly normal service requests (literally made by sending data packets) overwhelm a network such that legitimate users cannot gain access to the site's resources - thus, they are denied service. Typical Distributed Denial of Service (DDoS) attacks involve the use of multiple unwitting "zombie" computers sending requests to the victim site. The attack is more difficult to stop because the origin of the attack is very complex and hard to identify, especially as the data packets sent to the victim will often have "spoofed" (forged) source addresses.
There is no end in sight to this threat, because at present there is no deployed and fully automated solution to reliably combat Denial of Service attacks.
To help blunt these attacks, security vendors are embedding stronger intelligence into networking filters and other network devices, but these efforts are proving to be limited in their success. Some commercial products try to tackle the problem at the site or ISP level through the use of "smart filtering": they try to analyze packet traffic and stop those coming from an attacker. But this approach is much like virus scanning software, with defenses always trying to keep up with, and always being a little behind, the attackers.
"There are no easy quick-fix solutions to Denial of Service attacks because they are really a symptom of deficiencies in the Internet infrastructure," says Deborah A. Taylor, founder, CEO and President of Los Angeles-based Cs3, Inc. "For the Internet to be a viable platform for mission-critical applications, infrastructure-level improvements in both security and performance must be made. The real solution to DDoS and other problems is to fix the holes in the Internet infrastructure."
One major example of a deficiency in the Internet infrastructure is the ability of hackers to "spoof" or fake the source addresses of the packets they send, Taylor said.
With funding by the Department of Defense's Defense Advanced Research Projects Agency (DARPA) and the California Technology Investment Partnership (CALTIP), Cs3 has, since 1999, been pioneering the development of infrastructure-level technologies to fix the holes in the public infrastructure that make DoS attacks possible and create other security and quality-of-service challenges.
According to Taylor, Cs3 has recently released, under its MANAnetTM brand, infrastructure-level DoS defense products that combat DoS attacks both "coming into" and "going out of" networks. And Cs3 is proposing enhancements to the Internet Protocol (IP) standard to the Internet Engineering Task Force (IETF) that would eliminate source forgery. With the new protocol, called Path Enhanced IP (PEIP), which is part of MANAnet technologies, a packet carries its own path information that is not controlled by the sender.
"If embraced by infrastructure owners and the Internet at large, Cs3's MANAnet technologies would be highly effective in protecting the Internet from DDoS attacks," says Taylor, "but this is not going to happen overnight.
"Adoption by infrastructure owners is the major issue," she says. "Putting in place all the building blocks needed to make the Internet more secure and robust will be an evolutionary process."
Dr. K. Narayanaswamy, Cs3 co-founder and chief technology officer, explains the different products and major attributes that comprise what he calls the "MANAnet Shield" for DDoS defense.
A primary attribute of MANAnet technology is a patent-pending "fair-service" approach, whereby all customers get their fair, uninterrupted share of shared resources, even in the face of DDoS attacks, he says.
"Site-level solutions, such as the smart-filtering products now on the market that try to identify and stop malicious packets coming into a network, are engaging hackers in an arms race," Narayanaswamy says. "With MANAnet's innovative load-balancing fair-service scheduling, there is no need to identify the bad packets from the good, because the technology ensures that legitimate customers get their fair share of service. Some of the attacker's packets could get through, but the customers, who are typically less greedy, get their fair share of service."
Cs3 offers both incoming and outgoing MANAnet DDoS defense products.
To stop outgoing DDoS attacks - those emanating from a local area network - Cs3 offers the Reverse FirewallTM. Unlike a traditional firewall, which filters incoming traffic, the MANAnet Reverse Firewall limits the rates of unexpected outgoing packets from a vulnerable network and protects both the outside and the legitimate customers of the network from DDoS attacks originating inside.
"It is much easier to choke off DDoS attacks closer to their origin," Narayanaswamy says. "ISPs, universities and other infrastructure owners vulnerable to hackers turning their computers into DDoS zombies can now stop DDoS attacks from being mounted from their networks, and also ensure their own customers are not denied service due to such attacks. This is something that is likely to soon be seen as a requirement for responsible infrastructure ownership."
In contrast to tools that scan networks to ferret out known zombie signatures, the Reverse Firewall also has the benefit of needing no updates or upgrades as hackers become more sophisticated, he says.
For defense against incoming attacks, the MANAnet Linux Router and the MANAnet Firewall are now available. Cs3 will license its technology for proprietary routers. "A MANAnet Router enhances a traditional router by reducing source forgery, and providing fair service based on the true source of a packet. The MANAnet Firewall provides the ability to tune the defense for a specific site and to further improve the defense for customers."
>According to Narayanaswamy, the real success of DDoS defense will be longer term and involve "cooperative neighborhoods," where there is real-time cooperation and communications between parts of the Internet infrastructure. A cooperative neighborhood is a group of adjacent routers that are enabled with similar capabilities, such as Path Enhanced IP to eliminate source forgery and fair-service scheduling.
"The basic principle is analogous to a Neighborhood Watch, where people achieve collective benefits of security and reliability by cooperative actions," he says. "The larger the neighborhood, the more effective the elimination of source forgery and DDoS defense."
The benefits of cooperative neighborhoods go beyond DDoS defense, Narayanaswamy claims.
"Large neighborhoods can form the foundation for forensics and network management tools, where organizations can see where problems are originating and plan around them," he says. "Neighborhoods that have eliminated source forgery allow for a host of new products and services, such as filtering based on accurate packet sources and smarter allocation schemes for resources."
# # #
Founded in 1991, incorporated in 1998, Cs3, Inc. is a pioneer in infrastructure-level DDoS security solutions, constructing the building blocks for a more secure and robust, mission-critical Internet. Privately held, Cs3 has been awarded development funding by the Defense Advanced Research Projects Agency (DARPA) and the California Technology Investment Partnership (CALTIP).
For more information on Cs3 and its MANAnet DDoS Defense solution, please visit www.Cs3-inc.com.
Company contact: Cs3, Inc., Ms. Deborah Taylor, 5777 W. Century Blvd., Ste. 1185, Los Angeles CA, 90045-5600. Phone: (310) 337-3013; Fax: (310) 337-3012.