Kaspersky to sell experimental DDoS shield

Kaspersky to sell experimental DDoS shield

Summary: Security vendor Kaspersky Labs will sell its currently experimental denial-of-service (DoS) attack protection service globally, if it proves successful.

TOPICS: Security

Security vendor Kaspersky Labs will sell its currently experimental denial-of-service (DoS) attack protection service globally, if it proves successful.


(Shining armour image by Kenny Louie, CC2.0)

The service is being tested in Russia, where DoS attacks are part-and-parcel of doing business, according to senior security engineers from Moscow-based Kaspersky.

The attacks are floods of junk online traffic, often sent by distributed botnets to overwhelm infrastructure until websites become unavailable.

Kaspersky said its system dampens DoS attacks by filtering traffic through powerful servers spread around the world.

"Kaspersky DDoS Prevention collects information about the customer's incoming traffic and filters it in two ways. In the first instance, communication channels and hardware are protected from [DDoS] by redirecting customer traffic through the system of filtration centres connected to the resources of the different providers," Kaspersky spokesperson Yuliya Yudina said.

"This distributes the attack traffic quite considerably and thus helps to avoid overloading the channels that lead to the customer's resources.

"In the second instance, the system generates a model of a customer's average incoming traffic and uses this as the basis upon which to filter out hazardous traffic during an attack … between attacks, the system processes a customer's traffic, collecting statistical data and searching for anomalies."

Both tasks can be performed either locally when a module is installed on a customer's infrastructure, or remotely with traffic passed through system servers. Yudina said traffic remains unaffected.

She said the service introduced as an experimental product in Russia in June is expected to be launched across the Eastern Europe Commonwealth of Independent States in about six months and will find its way into Europe sometime later.

While launching a DoS attack can be done with limited computer literacy, defending a target isn't easy, especially when online presence is important.

The Internet Protocol (IP) addresses, or user computers, can be blocked, and attackers can theoretically be identified, but it can be difficult to determine assailants from legitimate visitors.

Kaspersky Chief operating officer Eugene Buyakin said the experimental service is doing well.

"The service is still experimental but it is successful so far," Buyakin said. "If it [remains] successful, we will make it available to the world."

A number of other DoS defence techniques exist, some of which edge into legal grey areas.

Tarpitting is a TCP/IP configuration in which packets from an attackers' IP address remain unacknowledged, forcing them into a resend loop. Not only does this reduce traffic by a bigger margin than by simply dropping packets, but it spikes the CPU load on the attacker's machine as it is forced to resend packets.

A simple alternative is to block traffic from a specific country provided the DoS attack is nation-based and legitimate visitors do not typically come from the nation.

Industry sources have long admitted (although not publicly) to using offensive counter-attacks in order to disable offending machines, but doing so is considered a criminal offence.

Upstream providers Pacific Internet and Internode cut off a DDoS attack against broadband site Whirlpool in June blocking the offending IP addresses.

Bulletproof Networks chief operating officer Lorenzo Modesto, who hosts the site, said the move was only a small part of a larger staged mitigation strategy that it ramped up as the attacks continued.

"Bulletproof augmented the upstream blocking by implementing international reverse proxies using global DNS (Domain Name Service) across our content distribution network in the UK and US, allowing many times greater scale and the ability to change the target of the traffic," Modesto said.

"This is a service that we've delivered globally for campaigns like Movember.com for several years."

Korea's Computer Emergency Response Team had gone as far as migrating business under DoS attack to new IP addresses, a move which would potentially make a website more difficult for customers to find, but one that could help mitigate the traffic load.

Darren Pauli travelled to Hong Kong as a guest of Kaspersky.

Topic: Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Regarding tarpitting, wouldn't dropping packets from an IP address also prevent ACKs? It's my experience that tarpitting is used to refer to slowing the attacker down, and preferably use more resources than the defender, for each connection. I think you likely meant something else.

    Additionally, regarding Korea's CERT, it's a common tactic to change IP addresses during a DoS and monitoring DNS traffic and attack traffic to see if they're attacking your IP address or your name. One may be able to redirect an attack. The site will either be available or not, but not harder to find, unless your customers are using IP address instead of DNS name.

    It basically sounds like the service will be acting as a content delivery network, which can help weather a DoS attack, but it also adds more resources, so one would expect to be able to handle more traffic, malicious or otherwise. Add in some logic to do traffic profiling to enable countermeasures aimed at messing with the DoS attacker's methods and it certainly could be offered at a lower rate than just throwing bandwidth at the problem. However, the content will still need to be hosted on the CDN, or the customer's router could simply be targeted. It's not going to be any easier to implement than a CDN, if that's the case.
    Mark D. Adams