A software program detecting Web and network traffic anomalies which might amount to incoming denial-of-service attacks _ and previously available only when embedded in purchased hardware appliances _ was made available as a freeware download April 15.
FloodGuard detects a variety of DOS attacks, including distributed DOS, distributed reflective DOS (which use unsuspecting computers and servers), and even worms and "other flooding attacks that can overwhelm networks and shut down Websites."
Reactive Network announced the coming of the product _ said to be the first-ever free DOS-warning software _ earlier this month. They took over 1,200 free registrations to get the program, the company said in an announcement, prompted discussions with security hardware providers to fill the demand, which they anticipate will grow steadily enough.
Funded by venture firms Athena Technology Ventures and Redrock Ventures for almost $6 million, FloodGuard began as a strictly hardware-inclusive program in 2000. But Reactive Network vice president for business development Alan Crawley said they saw the need for separating it into software and making it available as widely as possible.
"This software was valued about $10,000 (per unit)," Crawley said by telephone from the RSA 2003 Conference, a gathering of network security professionals. Why did they take it to the freeware level? Crawley said it was a combination of many companies reluctant to admit they were attacked _ and many people unaware of the fact that they're even being attacked.
"That is still a problem, and it has been a problem for us selling our products," he continued, "so we've been in the development phase all this time, not really been in the sales mode. We're transitioning into getting to the selling mode. By giving away the freeware that shows you you're being attacked, it gives you proof positive. An awful lot more attacked don't actually know it."
The war between the U.S. and Iraq also came into the company's thinking, Crawley said. "We thought there'd be a lot more attacks against the U.S. in places, flood attacks, maybe designed to bring down the Internet as a whole," he said. "The commerce of the United States could be interfered with considerably. This is an ever-increasing threat to the U.S. economy, as more and more terrorists and malicious hackers find out how easy it is to launch cyber-attacks."
FloodGuard shows a network administer or Webmaster if their site or portal is being attacked, "and give you a lot of rich information about the attack," Crawley said. That information includes what type of attack it is, how severe it is, the kind of protocols coming in with the attack, and it offers a degree of traceback capability.
"It gives you enough information," he said, "to call up your service provider, or your network service providers, to give them enough information about what's coming through the flooding, for them to implement steps to mitigate the attack."
When installing the FloodGuard freeware, it "lives on your network first, for about a week," Crawley said, "learning what your normal traffic is like by protocol and IP address, the sources and the destinations." Then, he continued, sophisticated technology analyzes anomalies. "Basically, (FloodGuard) is an anomaly detector," he said, "and one of the anomalies it will detect is the denial of service _ but it will also detect worm propagation and other anomalies."
The usual remedy for recovering from a DOS attack is for the site or network to buy more bandwidth. "By using a tool like ours," Crawley said, "that will actually do something about it, you can make an awful lot more bandwidth available."
But FloodGuard does not automatically stop a DOS attack or repair the damage, Crawley said _ and Reactive Network hopes FloodGuard's free availability prods sales of the appliances Reactive makes to do those fixes. "That's the part we want to sell," Crawley said. "And, unfortunately, the piece you need to stop and fix it probably isn't something (a consumer) would buy, it's something your service provider or a business would want to mitigate an attack. Ultimately, we'd sell (our) mitigation technology to the service providers. And, of course, the way to prevent a DOS is to get to the source, where its coming in, and block right there."
