Purpose: Working Defense Against DDoS Attacks

MANAnet Routers are routers with additional functionality that, in cooperation with other neighboring MANAnet routers, can substantially reduce the impact of packet flooding DDoS attacks.

Description: Implements DDoS Defense at the Infrastructure Level

The MANAnet Router makes it possible to schedule or filter packets based on more reliable data about their source addresses, thereby providing the basis for a working DDoS defense at the infrastructure level. This requires cooperation with neighboring MANAnet routers which add path data to packets that is beyond the control of the attacker(s).

Who Needs the MANAnet Router: All Infrastructure Owners

All Internet infrastructure owners who currently deploy traditional routers within their networks can benefit from deploying the MANAnet Router instead. The currently available Linux implementation of the MANAnet Router is not fast enough to replace high-speed, commercial routers. However, MANAnet's patent-pending technologies will be licensed to commercial router companies to provide fast routers that implement the MANAnet DDoS defense.

How the MANAnet Router Works: Uses PEIP and Fair Service Queuing

The MANAnet Router implements a modified form of IP called Path Enhanced IP (PEIP). Each MANAnet Router adds the place from where it got a packet to the packet before it forwards it. It really helps to have "cooperative neighborhoods" of MANAnet routers - routers that are connected to one another and are MANAnet-enabled. Within a cooperative neighborhood, one can unerringly identify the place where the packet entered the neighborhood because that data is not under the control of the DDoS attacker. Please see the PEIP white paper for more technical details about PEIP.

Benefits: Infrastructure-level Approach that Requires No Updates

The MANAnet Router or its commercial counterparts have the potential to completely eliminate the threat of packet flooding DDoS attacks. The MANAnet approach has several important advantages:

1. Most approaches to DDoS defense at the victim sites cannot avoid congestion of the network upstream, and, therefore, legitimate customer packets are likely to be lost. In practice, most sites detect the packet flood, and then request that their ISP filter the bad traffic. This is a tedious manual process. The MANAnet Router works reliably, automatically, and in real-time, thanks to PEIP and fair service scheduling.



2. The additional path information and the effort to decode path information can be handled in constant and small overhead - not adding significantly to latency and without using too much bandwidth to implement the defense.



3. The MANAnet Router does not rely upon "intelligent" traffic analysis to recognize known attack signatures as many competing approaches do. Instead, the router functions based on the fundamentally simple idea of "fair service." No updates are required when the attackers change their methods or become more sophisticated - as they indeed will when the defenses improve. Security achieved through simplicity and elegance of design trumps "smart" approaches that invite a virtual arms race with hackers - as the virus scanning fiasco illustrates amply.



4. Cooperative MANAnet neighborhoods can be used to define a variety of new quality of service and security applications beyond DDoS defense.