Denial of attack

Recent consolidation in the information security market includes a wave of acquisitions of companies with a variety of technologies, such as intrusion detection and managed security services. One technology seems to be absent from the acquisition list: Distributed Denial of Service (DDoS) defense, the subject of media frenzies every time a DDoS attack occurs.

DDoS attacks shut down the eBay, CNN, and Yahoo! websites two years ago. A DDoS attack refers to a tidal wave of requests originating from thousands of co-opted "zombie" computers, usually without their owners knowledge or consent. The requests bombard the server under attack, overloading processors and jamming the site’s bandwidth connecting it with the outside world.

The commonest defense against DDoS attacks is to block access to the server from outside calls, which is an ironic victory for the attackers. That is because it is not necessary to attack the server itself. By attacking the site’s firewall, they overload the identification and authentication software checking incoming information packets, thereby blocking the arrival of legitimate packets.

While the world’s press previously focused on DDoS attacks on commercial and news sites that lost revenue from the attacks shutting down their sites, most of the damage was to the sites’ reputation, with far greater potential damage. In today’s networked world, with ERP and CRM systems transmitting updated information packets from side one of the world to another, a DDoS attack can severely disrupt enterprises’ regular operations.

Riverhead Networks is developing defenses to protect enterprises against DDoS attacks. Riverhead Networks VP sales Elad Shaviv says many DDoS attacks are launched during inter-geek weekend wars. The result is that Internet providers, including Israeli ones, are unable to provide the necessary service time to their subscribers, who surf more on weekends. This cybernetic war also causes collateral damage to servers at Internet providers’ server farms that may not be the geeks’ target.

Blitzing Europe

Here are some figures to make us sweat. In the second half of 2002, there were hundreds of DDoS attacks from an unknown origin against European Internet providers. The blitz crashed British provider Cloud 9, which was forced out of business after its insurance company refused to cover it for the damage caused. In early November, a one-hour DDoS attack against an Internet provider caused panic, but little real damage. The attack alerted professionals. According to CAIDA (Cooperative Association for Internet Data Analysis), there were about 4,000 DDoS attacks a week in the US alone in 2001, and possibly double that number this year.

The Yankee Group estimates the financial and reputation damage and repair costs at $50,000 per hour to the 9% of US enterprises under threat by DDoS attacks. Another estimate is $200,000 per hour to financial institutions and $90,000 to the aviation industry.

Shaviv claims that Riverhead’s solution enables an enterprise or Internet provide to continue providing service even while under DDoS attack. First, the network is surveyed to discover whether it is under attack, since it is possible that a particular event led surfers to rush to the site. To avoid false alarms, Riverhead’s solution is not located on the information line itself, but is actually two products. The first, “Riverhead Detector”, usually deployed at access or edge connection points, passively monitors passing traffic on multiple links. If it detects a possible DDoS attack, it warns the second product, “Riverhead Guard”, placed adjacent to the router or switch on a separate network interface, analyzes and filters malicious traffic, while letting legitimate information packets through. Riverhead Guard can also work with a variety of warning systems, including those developed by Riverhead’s competitors.

Shaviv claims that the installation of Riverhead’s products does not require network upgrades or changing a router’s definition tables. The products can be deployed at various locations throughout an enterprise’s network, as long as the site is sufficiently forward to forestall an attack. Internet providers can install the products at every server or server farm, or at the local Internet-provider route interfaces, such as Israel’s IIX.

“Globes”: What happens when a DDoS attack overwhelms Riverhead Guard?

Shaviv: “First, while that is possible, it’s very hard to accomplish, because it would mean attacking Riverhead Guard directly. Even if that happens, the network itself is unharmed, and when Guard recovers it will again protect the network. It’s important to remember that Guard’s sole job is to prevent the arrival of malicious information packets, so its pain threshold is much higher than that of ordinary networks.”

On the information highway

Riverhead Networks was founded in 2000 as WanWall. The name was changed during the company’s second financing round earlier this year to something more appropriate to the technology’s methodology: instead of a wall that blocks information routes, it allows information to flow with minimal disturbance.

Riverhead’s potential customers are large enterprises, international e-commerce companies, banks and the like on one hand, and Internet providers and data center companies on the other. The current business model is based on the sale of variously configured boxes costing a few hundred thousand dollars each. Other business models will be considered later.

Riverhead’s first investors were Gemini Israel Funds and Koor Corporate Venture Capital, later joined by Intel Capital. Riverhead raised $11 million in its second financing round in May 2002 from existing investors, plus Sequoia Capital, Cisco Systems (Nasdaq:CSCO), and private investors. 18 months earlier, Cisco invested in one of Riverhead’s competitors, Arbor Networks. Together with Asta Networks, they are considered to be leading defenders against DDoS attack. Another competitor Mazu Networks also excels in defense, but Shaviv claims it burdens networks. Other DDoS attack defenders are Radware (Nasdaq: RDWR) (in whose building Riverhead is located), and Israeli start-ups Captus Networks and Top Layer Networks.

Symantec (Nasdaq:SYMC) acquired another competitor Recourse Technologies a few months ago, although Shaviv claims its product mainly detects DDoS attacks without defending against them. “DDoS attacks are hyped by the media today, and almost everyone claims to have a solution to the problem. Despite the harsh climate, I think we’re competing in the market quite successfully,” he said.

Riverhead began sales in October 2001, even though its products were officially launched only after the last financing round was closed. Riverhead’s list of customers is not long, but Shaviv believes large-scale sales will start only next year. No-one at the company is prepared tosay openlywhen it will break even, but all agree that another financing round will be needed to better position the company against the competition, which will undoubtedly intensify over time.

Riverhead cofounder and CEO Yuval Rachmilevitz was entrepreneur in residenceat Magnum Communications Fund, and also worked for Gilat Communications for a while. Former Chief Scientist and current Gemini venture partner Dr. Orna Berry is Riverhead’s chairperson. She took up her post at Riverhead before Gemini invested in the company. Communications security professors and Ph.D.s from UCLA, MIT and AT&T, including the father of the Internet, Prof. Leonard Kleinrock, serve on Riverhead’s advisory board.

Published by Globes [online] - www.globes.co.il - on November 25, 2002