TippingPoint adds denial of service protection to Intrusion Prevention platform

Over the last six months, Austin, Texas-based TippingPoint has added bandwidth management capabilities and voice-over-IP protection to its UnityOne Intrusion Prevention System. This week, the company introduced new advanced denial of service and distributed denial of service protection, which it has deployed at eNom, a domain name registrar and Internet services company.

TippingPoint CEO Kip McClanahan said his company is out to expand the traditional notion of intrusion detection by including real-time DoS capabilities. The company has combined the intrusion detection and Dos capabilities into a single platform that can verify connection requests in real time at multi-gigabit speeds.

The DoS and DDoS protection uses a combination of anomaly filters, SYN proxy, rate shaping and statistical analysis to control the number of connection requests and existing connections in a network. The capability is built into TippingPoint’s UnityOne platform rather than run as a separate proxy server, which is typical of current solutions.

Proxy servers create a table entry for every connection request to a server or network. "It’s a memory explosion and ultimately a limitation statement," McClanahan said. "You can’t have unlimited memory in these servers. So if you are trying to manage an attack with a single table, you might hold it off for a few seconds, but then you [eventually] become part of the attack."

Marc Willebeek-LeMair, chief technology and strategy officer at TippingPoint said previous approaches such as using the proxy server as an intermediary to manage handshaking from other networks and devices is simply shifting the problem from the server to the intermediary. "But at the end of the day, the intermediary is just as vulnerable as the server was," he said.

The DoS protection in TippingPoint’s solution also uses a process called IP filtering in order to block attacks from malicious or spoofed IP addresses as well as anomalous traffic that dos not conform to normal traffic guidelines. It uses threshold filters to monitor traffic over time and in order to define normal traffic patterns.

"For the first time ever we are able to identify a MAC or IP address from a user that is spitting out mountains of attack traffic and doesn’t even know it," Willebeek-LeMair said. "It has quite an impact being able to see what is going on in the network and actually being able to remedy it."

TippingPoint developed the DoS solution for eNom, but will have a limited release available at the end of this quarter on one of its platforms and will make it generally available by the end of the year or early 2005.

The company has six IPS models available today with a seventh scheduled for Q4. The systems range from a 50 Mbps unit with one 10/100 Ethernet port to a 5 Gbps model with four 10/100/1000 Ethernet ports.