Weapons emerge to fend off DDoS attacks

Mazu Networks Inc., which makes equipment to stop distributed denial-of-service attacks, last week said it has added a way to determine what legitimate traffic is being filtered out in the process.

Typically, the legitimate traffic filtered out by Mazu’s distributed DoS Enforcer boxes during a massive attack wouldn’t be more than 5 per cent of the overall incoming traffic, but customers have sought more detailed information on any legitimate traffic that gets set aside.

“Filtering is a dramatic step for an operator to take,” says Phil London, Mazu’s CEO.

“So we’ve added the capability to provide detailed assessment of what applying a filter to traffic might mean,” he adds.

Mazu also has added a way to filter out attacks with dangerous payloads, such as the Nimda and Code Red viruses, which attempt to install a Trojan horse during the course of scanning attacks.

The new capabilities are available as free upgrades to or with new purchases of Mazu’s US$35,000 distributed DoS Enforcer 300 for corporations and US$125,000 distributed DoS Enforcer 10000 for service providers.

The Mazu upgrades are the latest in a slew of new vendor offerings aimed at safeguarding customers’ networks and data.

McAfee Security, a division of Network Associates Inc., has been pressed by customers of its antivirus products to better counter computer worms that infiltrate servers and desktops by exploiting vulnerabilities in unpatched systems.

The company this week unveils McAfee ThreatScan, a tool for desktops and servers to probe for 250 types of vulnerabilities in Microsoft NT/2000/XP and in AIX, FreeBSD, Linux, OpenBSD and Solaris. The ThreatScan software agents, which can be managed via McAfee’s ePolicy Orchestrator console, cost less than US$22 per node for a 250-node account.

The McAfee product is aimed at antivirus administrators and is less comprehensive than offerings such as Internet Security Systems’ Internet Scanner, which would look for more than one thousand known vulnerabilities, says Candace Worley, product manager for McAfee Security. “The tool was developed to meet those customers’ requests to find out what they don’t know,” she says.

Behaviour Blockers

Other vendors, such as Sanctum, take an approach to network security called behaviour blocking. Their offerings attempt to prevent attacks on servers and desktops by restricting the sort of unauthorized activity that a worm typically might try, such as changing registries.

Sanctum this week unveils AppShield 4.0, the latest version of its application-security proxy software.

This offering sits in a device in front of a Web site to prevent hackers from using buffer overflows or other tricks to exploit weaknesses that may exist in Web-based applications.

Each Web page passing through AppShield compares what a user tries to do with predefined rules for logon, data transfer and use of ActiveX and Java. “Customers that had AppShield didn’t get Nimda and Code Red,” says Sanctum CEO Peggy Weigle.

According to Weigle, AppShield 4.0 includes a way to hide details about the internal URL mapping of a Web site and includes security templates that can be set to “basic,” “intermediate” or “strict” in terms of behaviour-based controls. The templates offer an alternative to having to set complex configuration controls.

“Basic is to prevent defacement, for example,” she says, adding that security professionals need to determine the trade-offs in using the strict setting vs. allowing more user flexibility. “Out of 25 customers testing this new feature, most choose to use the intermediate setting.”

AppShield 4.0, which costs US$15,000 per server for Win NT/2000 or Solaris, now also filters Web pages more quickly – 3 msec as opposed to the previous version’s 10 msec.

Mazu can be reached at http://www.mazunetworks.com

McAfee is at http://www.mcafeeb2b.com

Sanctum is at http://www.sanctuminc.com