Smart networks to the rescue

TurnTide, a 20-person company based in Conshohocken, Penn., is the latest to take this approach. Last week, the start-up introduced an "antispam router," which it claims can eliminate up to 90 percent of unsolicited messages.

Unlike spam filters--which sit near e-mail servers, examining every e-mail message and quarantining those that look bad--the antispam router looks at the actual packets and determines which ones are likely to have come from a spammer. Using features inherent in the TCP/IP (Transmission Control Protocol/Internet Protocol), it can limit the amount of traffic being sent from these sources.

"It's almost impossible to differentiate spam based on the content of the message," said Peter Christy, co-founder and principal analyst at NetsEdge Research Group. "But normal people don't send out millions of messages. If you're looking at IP source and destination addresses, it's much harder to conceal that you are spammer."

Traditionally, Internet Protocol (IP) networks have been built for "best effort," which means that networking devices are designed to simply pump as much traffic through big pipes of bandwidth as quickly as they can. Ensuring quality of service and implementing security are usually done at the periphery of the network.

But as networks get flooded with millions of unwanted e-mail, peer-to-peer traffic, and denial of service attacks, network operators need tools to control how much traffic comes onto their networks.

"Adding intelligence in the network will cause a lot of these problems to go away," Christy said. "It's much more effective to simply control who gets access to the resources."

The TurnTide router works by using a basic feature of TCP/IP: the "handshake" method. When a packet is sent to a destination, the source waits for a confirmation that the packet has arrived. If the confirmation packet is delayed, the source will stop sending more packets. It will continue sending test packets until it gets a response. Once the handshake has been completed, the source sends the rest of the packets in the stream.

By controlling the confirmation response, TurnTide can limit how much traffic is being sent from a particular source. Because most spam applications are impatient, they will give up and stop trying to send mail after a short period of time. In contrast, legitimate mail servers will continue to send test packets until they get a confirmation. Network administrators can also tune the TurnTide box so that traffic that is known to be from a good source gets a rubber stamp of approval and is allowed to come through without being rate-shaped at all.

"Because we control the resources on the network, there is a real practical limit on how many e-mails a spammer can send," said David Brussin, the chief technology officer at TurnTide. "The spam business is based on volume, so if they can't get millions of messages through, they'll go somewhere else."

The TurnTide method has its drawbacks. Because the device must learn the characteristics of the traffic, it still allows some spam messages to get through the network. Brussin recommends that network operators continue using spam filters to catch this trickle of junk mail. He argues that by reducing the overall amount of spam on the network it will help spam filters work more efficiently, because they have fewer messages to examine.

TurnTide claims to be the first company to take this network approach to fighting spam. But it isn't the first to add intelligence to gear to help protect network resources.

Software-based appliances from companies such as Packeteer and Ellacoya Networks look deep into packets to identify and limit the amount of peer-to-peer traffic on a network. These products are especially useful for cable operators that want to ensure certain users don't hog too much bandwidth.

In addition, Cisco Systems and Juniper Networks have embedded quality-of-service and security features into their routers and switches to help stave off denial-of-service attacks. Such attacks can inundate networks with millions of packets, causing routers and switches to collapse under the burden. Newer start-ups, like Force10 Networks and Quarry Technologies, also claim to have built their IP gear with denial-of-service protection in mind.