Kaspersky to sell experimental DDoS shield

Security vendor Kaspersky Labs will sell its currently experimental denial-of-service (DoS) attack protection service globally, if it proves successful.
Written by Darren Pauli, Contributor

Security vendor Kaspersky Labs will sell its currently experimental denial-of-service (DoS) attack protection service globally, if it proves successful.


(Shining armour image by Kenny Louie, CC2.0)

The service is being tested in Russia, where DoS attacks are part-and-parcel of doing business, according to senior security engineers from Moscow-based Kaspersky.

The attacks are floods of junk online traffic, often sent by distributed botnets to overwhelm infrastructure until websites become unavailable.

Kaspersky said its system dampens DoS attacks by filtering traffic through powerful servers spread around the world.

"Kaspersky DDoS Prevention collects information about the customer's incoming traffic and filters it in two ways. In the first instance, communication channels and hardware are protected from [DDoS] by redirecting customer traffic through the system of filtration centres connected to the resources of the different providers," Kaspersky spokesperson Yuliya Yudina said.

"This distributes the attack traffic quite considerably and thus helps to avoid overloading the channels that lead to the customer's resources.

"In the second instance, the system generates a model of a customer's average incoming traffic and uses this as the basis upon which to filter out hazardous traffic during an attack … between attacks, the system processes a customer's traffic, collecting statistical data and searching for anomalies."

Both tasks can be performed either locally when a module is installed on a customer's infrastructure, or remotely with traffic passed through system servers. Yudina said traffic remains unaffected.

She said the service introduced as an experimental product in Russia in June is expected to be launched across the Eastern Europe Commonwealth of Independent States in about six months and will find its way into Europe sometime later.

While launching a DoS attack can be done with limited computer literacy, defending a target isn't easy, especially when online presence is important.

The Internet Protocol (IP) addresses, or user computers, can be blocked, and attackers can theoretically be identified, but it can be difficult to determine assailants from legitimate visitors.

Kaspersky Chief operating officer Eugene Buyakin said the experimental service is doing well.

"The service is still experimental but it is successful so far," Buyakin said. "If it [remains] successful, we will make it available to the world."

A number of other DoS defence techniques exist, some of which edge into legal grey areas.

Tarpitting is a TCP/IP configuration in which packets from an attackers' IP address remain unacknowledged, forcing them into a resend loop. Not only does this reduce traffic by a bigger margin than by simply dropping packets, but it spikes the CPU load on the attacker's machine as it is forced to resend packets.

A simple alternative is to block traffic from a specific country provided the DoS attack is nation-based and legitimate visitors do not typically come from the nation.

Industry sources have long admitted (although not publicly) to using offensive counter-attacks in order to disable offending machines, but doing so is considered a criminal offence.

Upstream providers Pacific Internet and Internode cut off a DDoS attack against broadband site Whirlpool in June blocking the offending IP addresses.

Bulletproof Networks chief operating officer Lorenzo Modesto, who hosts the site, said the move was only a small part of a larger staged mitigation strategy that it ramped up as the attacks continued.

"Bulletproof augmented the upstream blocking by implementing international reverse proxies using global DNS (Domain Name Service) across our content distribution network in the UK and US, allowing many times greater scale and the ability to change the target of the traffic," Modesto said.

"This is a service that we've delivered globally for campaigns like Movember.com for several years."

Korea's Computer Emergency Response Team had gone as far as migrating business under DoS attack to new IP addresses, a move which would potentially make a website more difficult for customers to find, but one that could help mitigate the traffic load.

Darren Pauli travelled to Hong Kong as a guest of Kaspersky.

Editorial standards