Protecting The Enterprise Against The Looming DDoS Threat

While a series of high-profile DDoS attacks hit the headlines last year -- including a notable one against the social networking service Twitter -- the full scope of the threat to most networks may yet to be fully revealed.

According to a report released at the end of last month by the Center for Strategic & International Studies, commissioned by security software company McAfee, a significant number of enterprises have been hit by such an attack in recent quarters.

The CSIS study included surveys of 600 information technology executives from "critical infrastructure enterprises" across 14 countries. According to the report issued by CSIS, 29 percent of IT executives surveyed "reported suffering large-scale DDoS attacks multiple times each month, and nearly two-thirds (64 percent) of those said such attacks 'impacted operations in some way.'"

The "some way" can range from inaccessible Web sites to the shutting down of an enterprise's e-mail to VoIP and more areas of IT.

DDoS attacks function when large groups of computers -- many times without the owners even being aware -- are synchronized to unleash repeated attempts to access a network or Web site; the burst of such heavy traffic continues until legitimate traffic can no longer get through or the networks themselves grind to a halt. Often the attacks are the result of a botnet being unleashed on dozens, hundreds or thousands of PCs from many different geographies, making it difficult to pinpoint the exact origination of an attack.

The fact that botnets have become a tool of choice in the launch of DDoS attacks doesn't bode well. Botnets and botnet tools have been described by security experts as freely available for a price from malware creators and providers.

The CRN Test Center has evaluated a number of security products and technologies over the past year, but perhaps the most effective we've seen of late at fighting DDoS attacks has been from startup RioRey. In particular, the Test Center examined RioRey's RE510 appliance. The RE510 uses algorithms to detect differences between "good traffic" generated by real people and "bad traffic" in the form of a DDoS attack coming from, say, a botnet. RioRey has designed its system to examine all TCP/IP traffic to perform its analysis and isn't dependent on deep packet inspection.

An RE510, with 150K pps of throughput, can filter traffic in one direction and is list-priced at $6,200. It's the one product we've examined in the Test Center that can effectively counter a harsh DDoS attack. RioRey's product line scales up to appliances that filter traffic in two directions, with throughput of as much as 550K pps and pricing in the six-figure range.

The research provided by CSIS indicates almost all sectors have reported DDoS attacks with "the least victimized sectors for this kind of attack water/sewage, where only 43 percent reported them, and transportation (50 percent.)"

The bottom line: RioRey has a clear field, at this stage, in providing a wide array of tools and products to compete against the growing and widening threat of distributed denial of service attacks. Best practices (including constant network traffic analysis) will need to grow and adapt to take into account the increasing and increasingly malicious nature of these attacks, and other IT providers will need to consider what they can bring to the table to help combat DDoS. We liked the RioRey RE510 and think the company is off to a strong start. Unfortunately, so are the DDoS attackers.

COMMUNITY: Connect with the CRN Test Center at community.crn.com.