One of today's more vexing security challenges is how to defend against a distributed denial of service attack (DDoS), where hackers install "zombie" code on hundreds or thousands of Internet-attached computers and use them to flood a single Web site with bogus requests. Cs3, Inc., which has been working on the problem since 1999, has come out with a product intended to stop such attacks from their point of origin - the "zombie" computers.

Cs3's Reverse Firewall is one part of the company's strategy to wipe out DDoS attacks. The product works by adhering to a "fair use" policy, where no one network segment is allowed to commandeer an inordinate amount of available bandwidth, says Dr. K. Narayanaswamy, co-founder and CTO of Cs3, based in Los Angeles.

In a typical two-way TCP/IP conversation, such as between a Web browser and server, one computer sends a request to another, then waits for an acknowledgment of that request before continuing. Computers infected with zombie code, however, just continually send a flood of requests to a Web server, never waiting for acknowledgement. If the server gets hammered with enough of these requests, it gets overwhelmed and is effectively blocked from servicing legitimate requests.

"A typical attacker is like someone ringing your doorbell and walking away," Narayanaswamy says. "They are just flooding the network with requests but never bother to look for the answers."

Given that behavior, the clients that are launching the attacks chew up large amounts of bandwidth on the networks to which they are attached. Cs3's Reverse Firewall sits at the edge of a network, between a router and the Internet connection, and can detect when a given subnet is generating more than its fair share of traffic - or what Cs3 calls "unexpected packets." It will then throttle back the amount of packets it allows that segment to pass, allowing legitimate traffic from other segments equal access to the Internet link.

That gets to the value proposition for enterprises and ISPs in installing the Reverse Firewall: improving availability for their own users. Each Reverse Firewall, which runs on a Linux machine, can attach to five subnetworks in addition to the Internet. That means the product can isolate from the rest of the network a single subnet generating massive numbers of bogus packets.

"We're not asking customers to do this for the good of the Internet, but for their own good," Dr. Narayanaswamy says. "We are selling it as a damage control device to individual ISPs, universities and corporations."

The Reverse Firewall can also be effective in defending against worms such as Code Red and Nimda, which rely on port scanning, another form of unexpected traffic. "You have to allow everybody to do port scanning, but not at the rate that Nimda and Code Red were doing," he says.

There are other companies that have announced products in recent months that purport to defend against DDoS attacks, including Arbor Networks, Asta Networks, Captus Networks and Mazu Networks. But each of these companies' products is designed to filter in-bound traffic, not outbound traffic that is the initial cause of such attacks.

Cs3 likewise offers products that focus on in-bound traffic. The company has developed a packet-tagging protocol that allows routers and firewalls to detect where packets are coming from, much like a postmark on a letter. In that fashion, a router can detect when there are too many packets coming from the same area and throttle them back.

The company is in discussions with major router vendors to include its technology in their products, with the idea being to spread it throughout the Internet.

While that's a tall order, Dr. Narayanaswamy notes that if a large ISP buys in to the idea it will make a huge difference, because as soon as traffic representing a DDoS attack enters their network they will be able to recognize it and choke it off.

In the meantime, the Reverse Firewall is available now. It costs $3,995.