B.8. Summary

After surveying the above solutions, several questions may have occurred to the reader.

• Are the preceding solutions the only ones that handle the DDoS problem? Not by any means. It was impossible to collect and survey all the existing DDoS solutions in this book, first, because space is limited and, second, because the market scene is continuously changing.

• Are the preceding solutions better than those that were not surveyed? This is a hard question to answer. Due to the lack of common evaluation methodology for DDoS defense solutions, it is impossible even to compare surveyed solutions to one another. It would be even more far-fetched to compare one of those to another solution not surveyed in this book. Rather, we believe that the selected solutions represent popular attack detection and mitigation approaches that are currently favored by the commercial community. Other solutions that you may find on the market are likely not to be drastically different from the surveyed ones. The overview of the functionalities offered by the preceding solutions should provide you with a list of features you can look for in a DDoS solution.

• So which one is the best? Ah, another hard question! There is currently no agreement in the DDoS defense community about the methodology for DDoS solution evaluation. Thus, even if we obtained and tested a sample of each of the systems discussed, we would have a hard time designing tests that everyone would accept as realistic and appropriate. This situation might change in the next few years. A number of ongoing research projects are examining the proper methods of evaluating DDoS defense solutions. The NSF also funded a project in 2003 to build a large DDoS research testbed [USC]. Answering questions about the relative performances of different research and commercial DDoS defense mechanisms may be more feasible when these projects have reached fruition.

In an attempt to provide more useful information to the reader, we summarize the capabilities found in the preceding solutions in Table B.1. As with the earlier material in this appendix, the summary is based solely on vendor claims in product white papers and does not reflect any of the authors' or publisher's opinions.

Table B.1. Summary of Commercial Product Features

	Featured Products
Mazu Enforcer	Enforcer.
Peakflow	Peakflow SP for service providers offering external attack mitigation and traffic management functionality and Peakflow X for companies offering internal attack mitigation functionality.
Webscreen	WS2, WS100, and WS1000 provide the same attack detection/mitigation functionality at different scales.
Captus	Captus IPS for attack mitigation and Captus IPS View for management of multiple Captus IPS devices.
MANAnet	FloodWatcher for attack detection, Router and Firewall for incoming attack mitigation and Reverse Firewall for outgoing attack mitigation.
Cisco	Traffic Anomaly Detector XT provides attack detection functionality. Guard XT provides attack detection mitigation functionality.
StealthWatch	StealthWatch provides attack detection functionality and StealthWatch Management Console for management of multiple StealthWatch devices.
	Deployment
Mazu Enforcer	Active, passive, and hybrid.
Peakflow	Active for Peakflow SP, passive for Peakflow X.
Webscreen	Active.
Captus	Active.
MANAnet	Passive for FloodWatcher; active for Router, Firewall, and Reverse Firewall.
Cisco	Passive for the Detector, active for the Guard.
StealthWatch	Passive.
	Attack Detection
Mazu Enforcer	Anomalies are detected in incoming traffic by monitoring various traffic parameters and comparing them against bandwidth and suspicious traffic triggers.
Peakflow	Anomalies are detected in network state by monitoring various traffic parameters, routing data and NIDS data, and correlating observations.
Webscreen	Anomalies are detected by building legitimate-host behavior models and noting change in traffic levels and user access patterns in comparison to server resource use.
Captus	Anomalies are detected through traffic monitoring and comparison with operator-defined policies. Policy violation triggers attack detection.
MANAnet	Anomalies are detected by monitoring various traffic parameters and comparing monitored values to operator-set thresholds.
Cisco	Anomalies are detected by monitoring traffic patterns and comparing them to baseline models built over time.
StealthWatch	Anomalies are detected by building models of host activity and traffic levels, then comparing monitored communication against these baseline models. Each source host is assigned a Concern Index. Attack is detected when the Concern Index exceeds the host-specific threshold.
	Attack Response
Mazu Enforcer	Develop and install appropriate filters, or recommend ACL filters to be installed by CISCO routers.
Peakflow	Develop and install appropriate filters, perform sinkhole or blackhole routing of the suspicious traffic or recommend filters to be installed by network routers.
Webscreen	Drop packets whose CHARM value falls below the dynamic threshold. Threshold value depends on the level of server resource use.
Captus	Notify operators; shape, redirect, or deny suspicious traffic.
MANAnet	Rate-limit unexpected packets, perform PLFQ.
Cisco	Divert suspicious traffic through the Guard and police it using multiple verification methods to identify and block malicious packets.
StealthWatch	Alert network administrator about suspicious hosts.
	Extra Features
Mazu Enforcer	Projected filter impact before installation. Traffic visualization and analysis tools.
Peakflow	Peakflow DoS (part of Peakflow SP) claims to provide offending traffic tracing and identification of affected network devices. Peakflow Traffic (another part of Peakflow SP) claims to profile traffic at peer-to-peer, AS-to-AS, and pop-to-pop granularity. Peakflow X organizes monitored hosts into groups facilitating group management. It also claims to tune NIDS devices and correlate their data with its anomaly detection. Both Peakflow Traffic and Peakflow X claim to offer detailed traffic and attack reports.
Webscreen	None.
Captus	Claims to offer network state visualization, report generation, and detailed logging of traffic and attack data.
MANAnet	Claims to be able to trace the offending traffic to the network ingress point.
Cisco	Claims to offer detailed traffic and attack logging and report generation.
StealthWatch	Hosts with similar behavior are grouped into zones and managed collectively. Claims to offer detailed flow statistics logging and display in a variety of graphical views.