McAfee has become the first hardware vendor to use a new technique it claims can reliably protect companies from the lurking threat of botnet-launched distributed-denial-of-service (DDoS) attacks.
Unlike conventional DDoS detection systems based on the statistical analysis of traffic, the first layer of the new Advanced Botnet Protection (ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic dependent on whether or not it is "complete".
DDoS attacks typically use armies of hijacked PCs to target a server or WAN link with large amounts of incomplete SYN packets from false addresses, which are difficult to stop if the system cannot separate them from legitimate traffic or identify the source.
Many IPS systems also tend to track connection attempts, something which itself can be overwhelmed if specifically targeted by an attacker. An attack of this sophistication -- flooding servers with non-legitimate "ACK" or acknowledgement packets generated in response to SYN traffic -- is dealt with by the ABP using an established encryption scheme from the Linux world known as "SYN cookies".
"The (DDoS) traffic looks exactly like legitimate traffic to the task of detecting it is extremely difficult," confirmed McAfee's EMEA product line executive John Parker. Customers were also reluctant to use DDoS defense systems that resulted in false positives, as this cut off legitimate traffic.
The key was to detect that a botnet DDoS was at work and block it as soon as possible. Once a servers SYN queue had filled up, the attack would have succeeded, something that could happen more rapidly than an administrator could respond.
The new module was rolled out in December as a free software upgrade to all subscription customers of the IntruShield intrusion prevention appliances, Parker said.
The upgrade will work with all IntruShield products going back to the appearance of the product after the base technology was acquired when McAfee bought a company called Introvert.