Advanced protection

Officials at TippingPoint Technologies Inc. have released a new intrusion-prevention system that includes advanced protection against denial-of-service attacks.

UnityOne-100E, the latest addition to the security company's line of intrusion-prevention systems, performs at 100 megabits/sec.

"Denial-of-service is one of the most important [type of attacks] people are trying to protect against," said Andy Salo, director of product management at TippingPoint. More tools and weapons are available to hackers, enabling them to launch more sophisticated and disruptive attacks, he said.

UnityOne systems use statistical traffic anomaly and protocol anomaly protection methods. The systems are updated with the latest vulnerability protection through the company's Digital Vaccine service. All UnityOne systems come with standard denial-of-service protection, which uses threshold filters to block or choke network traffic that goes beyond a defined percentage of normal traffic.

Users welcome any functionality that enhances the UnityOne product line. Security analysts at Los Alamos National Laboratory use several UnityOne-2400 appliances, which perform at 2 gigabits/sec, to monitor network traffic, said Susan Coulter, a network security analyst at the lab.

The appliances were instrumental in blocking the Sasser worm in May from spreading throughout the lab's network, she said, adding that UnityOne is incredibly intelligent and its filters have enabled lab workers to reduce false alarms. "It's an important tool in our toolbox," she said.

TippingPoint's advanced denial-of-service protection blocks attacks known as SYN Floods, established connection floods and connections-per-second floods. SYN Flood attacks overwhelm servers with connection requests from invalid sources. During an established connection flood, an attacker takes control of many computers and directs them to establish connections to a server. During a connections-per-second flood attack, a server is overburdened with a high rate of connections from seemingly valid sources.

TippingPoint's standard denial-of-service protection includes protection against buffer overflow exploits, in which single-packet attacks crash a service or operating system; Zombie drafts, which plant malicious code on infected systems; distributed denial-of-service attacks; and packet floods, which consume network bandwidth or resources.

Officials at Arbor Networks Inc. and Mazu Networks Inc. have been tackling denial-of-service attacks for several years. Products from these companies can detect attacks, but they don't have enforcement capabilities, Salo said.

Arbor's products detect attacks and notify network routers to install access control list filters to block certain IP ranges, Salo said. TippingPoint's product not only detects but can also block attacks, he added.

However, Greg Young, research director for security and privacy at Gartner Inc., said TippingPoint, Arbor and Mazu are in different product classes. TippingPoint's UnityOne is an intrusion-prevention system that works inline on a single network segment. "Arbor and Mazu are more on the network behavior and anomaly-detection side — looking at the greater network via mirror ports," he said. Both classes of products are in the business of detecting denial-of-service attacks, but they use different approaches, Young added.