Mazu Networks last week released a new version of its Enforcer line of security devices that is more proactive at thwarting distributed denial of service (DDoS) and can detect more forms of attacks.
Mazu Enforcer version 5.2 can now combine both passive and active elements to detect and thwart DDoS attacks, says Cardy Kastaldi, vice president of engineering for Mazu, based in Cambridge, Mass.
Passive elements include monitors that function much like a packet sniffer, looking for the telltale signs of a DDoS attack and alerting operators when they are found. Active elements are implemented in the flow of traffic, filtering out packets deemed to be part of a DDoS attack.
With Enforcer 5.2, users can employ both capabilities to more quickly detect and thwart an attack. Passive monitors can constantly watch the entire flow of traffic into a site and, when an attack occurs, direct an active monitor to begin filtering traffic targeted at the network segment under attack, subject to operator approval.
Other anti-DDoS products direct a router to conduct the traffic filtering function. Kastaldi claims Enforcer is capable of more sophisticated forms of filtering than a router is. For example, he says Enforcer can find DDoS packets by filtering based on the number of hops a packet has taken, a value that is difficult to spoof in an IP header but one a router generally can't detect.
Mazu has also added the ability to filter based on a bit pattern that is a subset of the packet payload, Kastaldi says. This is designed to detect worms and viruses that have a static bit pattern as a subset of some other, more random packet payload. The Code Red worm used that approach, he notes.
"For us, it's an introduction into using signature-based filtering to deal with particular types of attacks, especially a worm propagation that might precipitate the launching of a massive attack," he says.
Version 5.2 also has a more intuitive user interface that makes it easier for users to evaluate the various filter options that Enforcer recommends. A filter impact forecast feature also helps operators assess a filter's effectiveness and any potential side effects.
Enforcer 5.2 is available now. Pricing for enterprise deployments of the Enforcer 300, which protects a single Fast Ethernet or Gigabit Ethernet link, starts at $35,000. The Enforcer 10000, which protects up to eight links, starts at $125,000.
Mazu Enhances Its Anti-DDoS Appliance
