A new class of anomaly-based DoS protection technology that looks for abnormal patterns in network traffic and provides filtering techniques to block or deny bogus traffic has hit the market. Sounds great—but is it the best solution for your organization?

There are two general types of DoS protection technology: the in-line solution, featuring a device installed on the network for analysis and filtering of abnormal traffic; and outbound devices, which perform statistical analysis by culling information from routers and using those routers to filter legitimate and bogus traffic. Technology from Arbor Networks and Asta Networks, for instance, fall in the outbound category, while Captus Networks and Mazu Networks are in-line solutions.

Choosing the right protection depends on the size and complexity of your network. When evaluating any DoS product, tech leaders should focus on how the product detects attacks and how it determines what to do to stop the attack, advised Aberdeen Group analyst Eric Hemmendinger. CIOs should also consider whether or not they want to manually or automatically mitigate attacks.

How one enterprise found a solution
TELUS Corporation, the second-largest telecommunications company in Canada, chose Arbor Networks’ Peakflow DoS product because IT operators didn’t want an in-line system interfering with the performance of its vast network. The service provider offers data, Internet, voice, and wireless services to millions of Canadian customers and is currently upgrading an OC-48 network to a 10-gigabit environment. Any DoS protection product TELUS implemented needed to work with its bank of Cisco GSR routers that handle those fast line rates and huge volumes of traffic.

“Given the scale and reliability problems, we didn’t want an in-line solution. The reason for that is that anything you start inserting into the core of a large service provider network introduces another point of failure,” explained Leonard Hendricks, director of marketing at TELUS.

“We can’t afford to have our core network compromised in any way. So we didn’t want to introduce any more problems in that regard.”

An in-line approach also doesn’t have a strong survival rate against DoS hits.

“If you’re in-line in a network, to get packet data, you are relegated to the edge of a network. So any in-line device is just as likely to be overwhelmed by [a DoS] flood,” said Ted Julian, chief strategist at Arbor Networks. “If AT&T, for example, put in-line solutions into its backbone and it fails and it brings down the backbone, that’s a huge problem,” he added.

Instead, Peakflow consists of collectors, devices that sit near routers and pull details about traffic patterns from those routers. The information is then sent to Peakflow controllers, which trace the traffic back to its source or port of entry. Peakflow DoS notifies network operators of any abnormalities in traffic via e-mail, pager, or SNMP alerts. After the controller provides a network profile, it then recommends steps that network admins can take, either through router filters or firewall rules, to stop the anomaly.

Another solution option
Asta Networks’ Vantage System, another outbound solution, also pulls information from Cisco, Foundry System, and Juniper routers. It then recommends ways that IT operators can mitigate DoS floods.

Vantage ships in two fashions: as a hardened network appliance or as a Linux-based application. If an admin has an IDS running on a Linux system, Vantage can run on that same system. It sits outside the data path, not in the network like a firewall, said Steve Pao, Vantage’s VP of marketing.

The problem with outbound solutions, however, is their reliance on routers as their source of data for analysis. So the amount and depth of data is limited, according to Phil London, CEO of Mazu Networks. Plus, they rely on routers to do the filtering, which is “way too coarse,” he said.

“Conventional routers and switches have very rudimentary filtering ability,” London pointed out. “They can filter on source address or destination address. They were never designed to do sophisticated distinction of denial-of-service traffic from legitimate traffic.”

Mazu provides a probe, called the Mazu Enforcer, that looks into every individual packet to analyze network traffic, London pointed out. He said that enterprises deploy it as an active element, in the vicinity of a firewall, where network traffic flows through it. It can also be deployed in a passive configuration so it can monitor fatter pipes for service providers, he added.

A benefit of the in-line system
In-line systems, according to some techies, can give more detailed analysis.

“If it is not in-line, it’s basically [just] a sniffer,” said a network administrator at a leading construction company, who requested anonymity. The company has deployed Captus Networks’ CaptIO operating system.

“It’s a highly modified Linux kernel along with special apps they have on top, acting as a router,” explained the network administrator. “I have four Ethernet ports. Captus reads the headers as they go by instead of sniffing the network,” he notes.

Captus’ technology, called Traffic Limiting Intrusion Detection System (TLIDS), takes action against traffic flows that exceed admin-configured thresholds. TLIDS uses Captus’ Traffic Restriction and Profiling (TraP) technology, which employs a feature of the TCP/IP protocol that enables Captus to first validate whether or not the core network is receiving real traffic from nonspoofed sources, and then take action.

But the network administrator admits that the in-line approach may be more suited to his environment, where he doesn’t have to handle as large a volume of traffic as a service provider.

“I am an end user. I’m never going up to 100 megabits on my wide-area networks. If you’re talking about end users, [an in-line solution is] fine; if you’re talking about ISPs, that’s a different story,” he said.

How pricing may be affecting adoption
Some observers say that the emerging technology has been slow to take off because of pricing. But Arbor Networks’ Julian said that “pricing has never been a major barrier” with customers.

TELUS has deployed four collectors that cost $40,000 apiece and a controller, which costs $80,000.

“So the company can cover an entire backbone for $250,000. That’s cheap,” compared to the cost of deploying security devices, such as multiple firewalls throughout a vast network, added Julian.

Pricing for Asta Networks’ Vantage System ranges from $8,000 to $35,000, depending on the number of routers monitored. Mazu’s Enforcer ranges from $30,000 to $50,000. Captus’ CaptIO network security device ranges from $14,995 to $24,995, depending on connectivity.