Botnet or human? Black Lotus service sorts them out to block DDoS attacks

  • Tim Greene (Network World)
  • 10 September, 2012 04:29

Black Lotus is pulling the wraps of a distributed denial-of-service-mitigation service that uses behavioral factors to pick up on low-volume botnet attacks that nevertheless can cripple Web servers.

Called Protection for Services, the offering runs customer traffic through proxies that employ human behavior analysis to discover and temporarily block offending IP addresses, says the Black Lotus President Jeff Lyon.

THREAT: Denial-of-service attacks are on the rise, anti-DDoS vendors reportĀ 

PRIMER: How cybercriminals and hacktivists use DDoS tools to attackĀ 

Those IP addresses are blocked for an arbitrary time, but not permanently black-listed, Lyon says. That's because the block list resides in in-memory cache for the sake of performance, but since that memory is limited addresses are dropped over time. The time frame is arbitrary so blocked addresses are released gradually; dumping them all at once could result in a flood that affects server performance, he says.

The company competes against Arbor, Prolexic, Staminus and Verisign.

To enable the service customers redirect the DNS for their Web servers to virtual IP addresses at Black Lotus's operations center in Los Angeles, where the traffic is screened before being proxied on to customers' actual servers. Black Lotus caches customers' static Web content, which improves response times much as a content-delivery network might.

By analyzing the Layer 7 behavior on connections to Web servers Protection for Services software determines whether it was made by a person on a computer or by a botnet. It uses factors such as past history of that machine and the pattern of behavior as it moves through the site. For example, repeatedly requesting the same content would raise a flag. Lyon claims that instances of false positives are "statistically non-existent."

Other DDoS mitigation methods use packet headers, rates and signatures to spot malicious connections.

The service is meant to augment traditional mitigation schemes, which could knock down, say, 90% of a gigabit DDoS flood, but that still leaves 1M bit of attack that is enough to knock a server offline, Lyon says.

Some of these attacks are hard to detect because a botnet with 200,000 drone machines might be back-ending them but using just 30 connections per hour so no pattern of attack from a single machine becomes apparent, he says.

Black Lotus has been selling the service since 2009 but hasn't advertised it because it was applying for a patent on the technology behind it, and now a patent is pending, Lyon says. The company also resells the service through other service providers, and has about 400 customers, most of them either partners, resellers or wholesalers.

While the company does sell directly to end-user businesses, its business model is to be a backend provider, Lyon says.

The service costs $1,000 per month for the first server to block up denial-of-service traffic up to 10Mbps. After the initial server additional servers can be added to the same instance of Protection for Services at $100 per month.

If attacks burst over 10Mbps, Black Lotus notifies customers who can then choose to do nothing, null route the Web server or upgrade to Mitigation Critical service that blocks attacks larger than 10Mbps.

The service is designed for small and midsize businesses, but not enterprises because it becomes more cumbersome to close a deal in larger organizations, Lyon says.

Read more about wide area network in Network World's Wide Area Network section.