Four start-ups with their roots in university research are separately concentrating on combating denial-of-service network attacks, a huge threat to e-commerce and a daunting technical challenge because it is so difficult to distinguish "good" network traffic from the "bad" traffic that can cripple servers.

The companies - Arbor Networks, Asta Networks, Lancope Technologies and Mazu Networks - together have collected at least $75 million in venture funding and are either just out of the gate with production anti-DoS equipment or soon will be. Mazu begins shipping its TrafficMaster gear next week.


The jockeying now begins in earnest to convince ISPs, data center operators and corporate customers to invest in this first generation of hardware/software appliances that watch for attacks and report back on what to do about such activity.

Since that wild week in February last year when a single attacker, nicknamed Mafiaboy, shot down some of the biggest e-commerce Web sites - eBay, Schwab and Amazon - the entire network industry has been well aware of how easy it is to launch a DoS attack. Mafiaboy, a Canadian teenager who plead guilty, used readily available distributed DoS attack tools, which can be used to remotely activate hundreds of compromised zombie servers to overwhelm a target's network capacity in a matter of minutes.

But the problem of automating a response to this kind of onslaught is so tough technically that anti-DoS offerings have yet to emerge from the network and security industries biggest names. Rather, all eyes are on newcomers.

Many of these start-ups have a lot in common. While it's not unusual to find professors and graduate students launching new companies, universities are where the founders of Mazu, Arbor, Lancope and Asta did their research into DoS attacks. And university networks are where this anti-DOS equipment was born and is getting a workout trying to fight off distributed DoS, SYN flood, Smurf and other such attacks.

"I call them the 'dueling universities,' " says Gartner security analyst John Pescatore. Arbor is aligned with the University of Michigan, Asta with the University of California at San Diego and the University of Washington, Mazu with the Massachusetts Institute of Technology, and Lancope with Georgia Institute of Technology.

All the start-ups have equipment for ISPs and companies that monitors and analyzes high-speed network traffic flows using complex algorithms, mostly by collecting information through routers and switches. Pescatore says there's little to distinguish the four start-ups, though Mazu is targeting distributed DoS attacks, and Lancope is casting a wider net in intrusion detection, such as monitoring for back-door Trojans, and does not claim to prevent distributed DoS attacks.

"[Distributed] DoS is very hard to prevent. I don't think there's a foolproof method out there," says Jay Chaudhry, CEO of Lancope.

His company launched last week with an undisclosed investment but mainly with Chaudhry's own millions from the sale of SecurIT to VeriSign in 1998 for $70 million.

The true value of the new anti-DoS offerings won't be known until ISPs start deploying them and offering anti-DoS services, Pescatore says.

So far, ISPs are quiet about their intent to use any of the gear, even though their network engineers are forced into intensive manual analysis of log data when serious DoS attacks strike and customers start calling for help.

Arbor's Chief Strategist Ted Julian, who says Pittsburgh ISP Stargate is testing the Arbor gear, acknowledges the company has yet to secure even one paying customer since its gear became generally available last month.

ISPs are "nervous and conservative" about deploying anti-DOS devices, Julian says, because of the unknown impact of adding this type of equipment to monitor their backbone nets and conduct filtering.

Cost may also be a factor. A single anti-DoS appliance can cost $20,000, depending on the vendor.

None of the other anti-DoS start-ups have much in the way of ISPs to brag about yet. Mazu has some early customers, including online financial services firm ElephantX.com and its ISP, which are cooperatively testing the Mazu anti-DoS appliance. Sources at Internet Security Systems, which offers intrusion-detection software and managed security services, say they are in discussion with Mazu about using its gear, but didn't rule out choosing alternate anti-DoS equipment providers.

Under attack

Using a technique called backscatter analysis, faculty at UC-San Diego observed 12,800 distributed DoS attacks on more than 5,000 Internet hosts during a three-week period. Half of the attacks lasted less than 10 minutes and 80% lasted less than 30 minutes. Attack behavior ranged from short, periodic episodes that degraded service for a few minutes to continuous attacks flooding a site for a week.

Tony Gauvin, an ElephantX.com vice president, was reluctant to name the ISP his firm is working with on DoS prevention. But he said whenever a DoS attack occurs, it's critical that the ISP gets involved to be able to quickly filter out the attack as far upstream from the Web site as possible.

DoS attacks "are the most insidious problem on the Internet," Gauvin says because a successful attack can "neutralize" its victim.

Taking DoS to school
The most avid testers of anti-DoS equipment remain universities.

Stefan Savage, chief scientist of Asta Networks, remains a professor at the University of California, San Diego, where he and associate researchers recently released a study showing how widespread DoS attacks are, whether low-grade or massive.

"We found the majority of DoS attacks are against servers of one sort or another, but 5% of attacks were against routers and 10% to 20% against live [client] machines with broadband connections," he says.

Merit Network is the university-focused ISP that has been the test bed and close collaborator in developing Arbor's PeakFlow DoS equipment for more than a year.

"It provides alerts on traffic and helps engineers understand what's going on," says Jeff Ogden, associate director for high-performance networking at Merit, the ISP for the University of Michigan. "It's brought a big change here. Before, we wouldn't notice the DoS attack or someone would complain, and network engineers would have to do it all by hand, then figure out the traffic flows to filter it out."

But the Arbor anti-DoS equipment isn't always reliable in determining good traffic from bad, Ogden says. "We have a joke here that one person's DoS is another person's physics department," he says, referring to the multimegabyte files that go surging back and forth, for example, between labs in the U.S. and Switzerland.

Just as Arbor has Merit, Asta has the high-speed research and development network, Internet2, managed from a data center at Indiana University.

"We can try new things out here, and the Asta Networks equipment does work," says Steve Corbato, Internet2's director of backbone infrastructure. He's in charge of the 13,000-mile network dubbed Abilene, which is used by dozens of university researchers, network equipment vendors and service providers.

Because the Asta equipment, called Vantage System, just became available this week, it may be some time before commercial ISPs and their customers weigh in with their opinions on its use in business. But if the day ever arrives when ISPs can routinely thwart DoS attacks, it will probably be because this new generation of equipment got a good schooling.