Four security vendors Tuesday announced an agreement to share research on how viruses like Code Red are built and how networks react when they are infected.
McAfee, a division of Network Associates Inc. in Santa Clara, California, said it has an informal agreement with Arbor Networks Inc. in Waltham, Massachusetts, Asta Networks Inc. in Seattle and Mazu Networks Inc. in Cambridge, Massachusetts. All four will immediately begin to share general research to help prevent distributed denial-of-service (DDOS) attacks. McAfee spokesman Tony Thompson said customers could see improvements in security products as soon as six months from now.
Thompson said the agreement allows security vendors on both sides of zombie viruses, like the still-present Code Red, to share expertise. Zombies infect Web servers, then use those servers to attack other Web servers by sending out more requests than the server can handle -- a DDOS attack.
Mazu, Asta and Arbor know how infected networks behave when infected, while McAfee understands virus architecture and how viruses function, Thompson said.
"This consolidated effort between McAfee, Arbor, Asta and Mazu will provide a new solution that will not only identify when networks are under attack, but also whether systems are unknowingly participating in attacks against other sites," the McAfee statement said. "The new threat management solution will not only monitor for anomalous traffic entering the network, but also detect the presence of zombies within the network."
The research isn't meant to be shared in response to a specific incident, like a new worm, Thompson said. "I think it's a little bit broader."
"If the alliance is able to come up with a set of products and services that have a significant impact on DDOS attacks, I think that would be great," said Ryan Russell, an analyst at SecurityFocus, a San Mateo-based company providing security intelligence services for business.
"It would require a deep level of cooperation with one's [Internet service provider] or hosting company," he said. "Most ISPs wouldn't be willing to allow customers to have that level of control or interaction with their networks, but perhaps that will be a way for an ISP to differentiate [itself]."
Russell said it would be difficult, but not impossible, to successfully block a DDOS attack.
"In order to mitigate a well-executed DDOS attack, the blocking device would have to be deployed at the edges of the ISP's network, and that ISP would have to have very high-speed peering arrangements with other ISPs," Russell said. "If the DDOS traffic succeeds in using up the end customer's bandwidth, then it has already succeeded. It must be blocked further up the stream, and the ISP has to be able to tolerate the extra traffic, without the ISP [itself] getting blown off the Internet.
"If aspects of that preventative technology can be used to help classify the DDOS traffic, then that helps with the DDOS blocking," he said. "If you can do a good job of classification, and you've got the blocking devices deployed at the right places, then you've got a fighting chance of keeping the DDOS from shutting you down."