LOS ANGELES -- Last year, a four-hour Distributed Denial of Service (DDoS) attack on popular sites such as CNN, Yahoo! and eBay caused an economic impact estimated at $1 billion, according to The Yankee Group.

A recently published study at the University of California at San Diego says there are at least 4,000 Denial of Service attacks launched each week by hackers, and the number is rising. Recently, Microsoft, the FBI, and even the Computer Emergency Response Team (CERT), the Internet's leading security watchdog, fell victim to DDoS attacks.

At present, there is no deployed technology to solve this problem.

Some products try to address the problem on the site or ISP level through the use of "smart filtering," whereby they seek to analyze packet traffic and stop those coming from an attacker. This approach is much like virus scanning software: defenses are always trying to keep up with, and are always a little behind, the attackers.

Infrastructure-level Solutions Needed

Rather than enter an arms race with hackers, a more practical and reliable approach to DDoS defense lies in focusing attention upon the fundamental flaws in the Internet infrastructure that provide the platform for DDoS attacks and other security and quality-of-service challenges. In other words, we need to fix the holes in the Internet infrastructure.

One of the primary infrastructure vulnerabilities is the ability of hackers to send packets with "spoofed" or faked source addresses.

Under its MANAnet^TM brand of DDoS defense technologies, Cs3 has developed an enhancement to the Internet Protocol (IP) that would greatly reduce forgery. With what we call Path Enhanced IP (PEIP), a packet carries its own path information that is not controlled by the sender. Cs3 is proposing PEIP as a standard to the Internet Engineering Task Force (IETF).

Another key feature of MANAnet technologies is to enable routers to use the PEIP substrate to provide "fair service" based upon the true origin of the packet, thereby ensuring that all customers get their fair, uninterrupted share of shared resources, even in the face of a DDoS attacks. With MANAnet's innovative load-balancing fair-service scheduling, there is no need to distinguish bad packets from good at the router.

Cs3 has developed MANAnet DDoS defense products based on elimination of source forgery and fair-service scheduling that work against both incoming and outgoing attacks.

For incoming attacks, Cs3 has developed the MANAnet Linux Router, which works in conjunction with the MANAnet Firewall. Cs3 will license its patent-pending technology to commercial router vendors, to add to their proprietary routers. The MANAnet Firewall allows sites to fine tune and improve the basic defense to suit their specific requirements.

Reverse Firewall Stops "Outgoing" DDoS Attacks

For ISPs, universities and other infrastructure owners vulnerable to hackers turning their computers into DDoS zombies, the MANAnet Reverse Firewall^TM stops DDoS attacks from being mounted from within their networks. Preventing the unleashing of DDoS attacks is very likely, and soon, to be seen as a requirement for responsible infrastructure ownership.

Unlike a traditional firewall, which filters incoming traffic, the MANAnet Reverse Firewall limits the rates of unexpected outgoing packets from a vulnerable network, protecting both the outside and the legitimate users of the network from DDoS attacks originating inside. And unlike tools that scan for known zombie signatures, with the Reverse Firewall there is no need for updates as hackers become more sophisticated.

The real success of an infrastructure-level DDoS defense will necessitate the use of "cooperative neighborhoods" with real-time cooperation and communications between parts of the Internet infrastructure. A cooperative neighborhood is a group of adjacent routers that are enabled with similar capabilities, such as PEIP to eliminate source forgery and fair-service scheduling. The larger the neighborhood, the more effective will be the elimination of source forgery and DDoS defense.

The benefits of cooperative neighborhoods reach beyond DDoS defense, providing the foundation for forensics and network management tools, where organizations can see where problems are originating and plan around them. Neighborhoods that have eliminated source forgery allow for a host of new products and services, such as filtering based on accurate packet sources and smarter allocation schemes for resources.

DDoS is a serious problem. What people think of as "the DDoS problem" is, in fact, many different problems. Addressing these will take infrastructure changes. Therefore, there is no easy fix to this problem that threatens the growth and realization of the Internet economy. But without an infrastructure level approach, there will be no real, reliable, long-term solution. The viability of the Internet as a platform for mission-critical applications requires new thinking and new approaches that focus on infrastructure-level solutions.

About Cs3

Founded in 1991, incorporated in 1998, Cs3, Inc. is a pioneer in infrastructure-level DDoS security solutions, constructing the building blocks for a more secure and robust, mission-critical Internet. Privately held, Cs3 has been awarded development funding by the Defense Advanced Research Projects Agency (DARPA) and the California Technology Investment Partnership (CALTIP).

For more information on Cs3 and its MANAnet DDoS Defense solution, please visit www.Cs3-inc.com.

Company contact: Cs3, Inc., Ms. Deborah Taylor, 5777 W. Century Blvd., Ste. 1185, Los Angeles CA, 90045-5600. Phone: (310) 337-3013; Fax: (310) 337-3012.