In the battle to stop Distributed Denial of Service (DDoS) attacks, a flood of new products have been offered recently. Many of these products offer a faster response to DoS attacks, but few promise to actually stop them. Cambridge, Massachusetts-based start-up Mazu Networks, however, unveiled a product Monday, which, if the company's claims are to be believed, does just that.
The product is the TrafficMaster line of anti-DDoS devices, a series of 1u (1.75 inch) tall devices which are installed as deep into a network as possible. Mazu is targeting the service provider, data center and enterprise markets, the very areas of the network where stopping attacks is likely to have the most effect.
DoS attacks are attacks in which the target system is flooded with false requests for service, thus denying legitimate users access; such attacks using more than one computer are called Distributed Denial of Service attacks, or DDoS.
These attacks are not always as simple to stop as keeping a single site from being taken offline, according to Christine Washburn, the vice president of marketing at Mazu. If a company's servers are located in a third-party data center, not only might the target company be knocked offline, so might other companies in the data center. So, being able to pinpoint and stop attacks, as Mazu says its system can, is crucial, she said.
"The key issues (in this area) are really availability and uptime," she said.
Mazu's first product, the TrafficMaster Inspector for DDoS, is a passive monitoring device based on IBM Corp. NetFinity hardware that does not sit in the data path, and therefore does not cause any potential performance or reliability problems in a network, Washburn said. The TrafficMaster Inspector performs anomaly-based detections, determining whether an attack is in progress by comparing current traffic to a baseline obtained by studying the network. Such a baseline is generally prepared within 24 hours of installing the device, she said. The longer the device is installed on the network, the better baseline it develops, making the system smarter, she said.
Additionally, thanks to a feature called provision monitoring, TrafficMaster Inspector allows administrators to easily isolate the specific application or customer under attack rather than requiring multiple devices or long downtimes, according to the company.
Anomaly detection allows Mazu devices to identify bad packets and anomalous or attack traffic and alert administrators quickly, Washburn said. Administrators are able to take action to remove packets or fight the attack after they are notified of anomalies in the network by e-mail or pager, she said.
While the TrafficMaster Inspector helps identify DDoS attacks, it can also be useful in billing disputes, Washburn said. If a service provider is billing customers based on the amount of bandwidth they use, an anti-DDoS product could help keep a customer from seeing huge bandwidth charges at the end of a month in which their facilities might have been used in a DoS attack, she said.
One TrafficMaster is generally enough to support 100 customers in a data center or service provider environment, though more customers would likely require more devices, Washburn said.
One customer who is very pleased with the TrafficMaster Inspector is Tony Gauvin, the vice president of software and operations for ElephantX.com, an online stock trading and financial services firm. ElephantX has been using the Mazu product for more than six months and has been very pleased with it.
ElephantX uses TrafficMaster Inspector to profile its network traffic as it is "a good filter for looking for abnormalities," Gauvin said. Such a product is crucial for a company which is "very reliant on unencumbered data," as its customers are driven by transaction speed and response time, Gauvin said.
Gauvin hopes to see more companies adopt Mazu's products to fight DDoS attacks, because "for any DoS defense mechanism, there has to be a community response." He would like to see ISPs and carriers adopt such technology as well, as DDoS attacks are among the most difficult and troubling kinds of attacks, he said.
The TrafficMaster Inspector is immediately available worldwide and costs US$100,000 in a typical data center configuration.
While the Inspector is the only Mazu product available immediately, it is not the only product the company will be releasing this summer. Mazu will also be unveiling a second component for its suite, the TrafficMaster Enforcer for DDoS. Unlike the Inspector, which is only a passive monitoring device, the Enforcer will actually allow customers to stop DDoS attacks with filters based on packet type, payload, protocol or other factors, the company said.
Though Washburn said the Enforcer is ready to ship immediately, Mazu is holding it until later in the summer because "typically, most customers want to be very comfortable with the Inspector first (before they install a second device)."
Also, Mazu offers what its calls its NOC server, a $20,000 device used to allow collaboration between a number of data centers all using the Inspector and to aggregate the data drawn from the Inspector to get a picture of all of a company's locations, not just one.
Despite Mazu's focus on hardware and security, the company may eventually grow beyond those bounds, Washburn said. Customers are responding to the packet inspecting and traffic management technology that underlies TrafficMaster and are asking Mazu for different kinds of services, she said, including bandwidth billing services and capacity planning.
The company's technology "may become a traffic engineering platform (with) the first application (being) DDoS," she said, adding, "there are lots of other bandwidth and traffic issues that we're in a good position to solve."