After last February’s attacks against Amazon, Yahoo, and eBay caused an estimated cumulative revenue loss of $1.2 billion, many people began thinking about how to protect themselves from Denial of Service attacks.
Three professors, and a doctoral candidate at the University of Washington, have taken aim at providing a solution. The four computer scientists recently launched Asta Networks, a company aiming to increase the level of security available to networks.
“There is no really effective solution out there today,” says David Wetherall co-founder and CTO of Asta Networks, “and attacks can literally take you down and keep you out of the game so you cannot conduct your business over the Internet.”
According to the professor, with the current Internet architecture, DoS attackers can easily disrupt the operation of e-commerce, business-to-business and other websites by flooding the network with useless traffic, while at the same time, concealing their identities, making effective responses near impossible.
Asta Networks, who recently closed a $3 million investment round, will be releasing their DoS prevention product in November. While the details of the product cannot be released, according to Wetherall, it will consist of three main functions: a detection system, a localization system and a response system.
Wetherall notes that there are also a number of things network operators can do to protect their sites from being the victim of a DoS attack.
Firewalls, of course, play an important role in preventing attacks, yet they have their own flaws.
“Firewalls are not effective at dealing with denial of service floods where many packets overwhelm the bandwidth to a server, but they are a useful component of a solution,” says Wetherall. “They are much better at getting rid of the single kind of packets that could cause your server to crash.”
There are also a number of best count practices that can help, the first being ingress filtering. This is the practice of checking the validity of source addresses where customer packages enter the network, thereby filtering out spoof addresses.
“A spoof source address is a bogus address that’s put on the packet. Spoofing is one of the things that makes Denial of Service attacks so difficult to track down,” explains Wetherall.
Another important measure ISP’s can take is called ICMP rate limiting. ICMP traffic is the type of traffic responsible for classic DoS attacks, and during normal operation of a network, there should only be a limited amount of such traffic.
According to Wetherall, all of these solutions can be beneficial, yet none of them offer a real solution.