Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

McAfee launches first bot-killing system

Because DDoS attacks are a SYN.

Article comments

McAfee has become the first hardware vendor to use a new technique it claims can reliably protect companies from the lurking threat of botnet-launched distributed-denial-of-service (DDoS) attacks.

Unlike conventional DDoS detection systems based on the statistical analysis of traffic, the first layer of the new Advanced Botnet Protection (ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic dependent on whether or not it is “complete”.

DDoS attacks typically use armies of hijacked PCs to target a server or WAN link with large amounts of incomplete SYN packets from false addresses, which are difficult to stop if the system cannot separate them from legitimate traffic or identify the source.

Many IPS systems also tend to track connection attempts, something which itself can be overwhelmed if specifically targeted by an attacker. An attack of this sophistication - flooding servers with non-legitimate “ACK” or acknowledgement packets generated in response to SYN traffic - is dealt with by the ABP using an established encryption scheme from the Linux world known as “SYN cookies”.

“The (DDoS) traffic looks exactly like legitimate traffic to the task of detecting it is extremely difficult,” confirmed McAfee’s EMEA product line executive John Parker. Customers were also reluctant to use DDoS defence systems that resulted in false positives, as this cut off legitimate traffic.

The key was to detect that a botnet DDoS was at work and block it as soon as possible. Once a servers SYN queue had filled up, the attack would have succeeded, something that could happen more rapidly than an administrator could respond.

The new module was rolled out in December as a free software upgrade to all subscription customers of the IntruShield intrusion prevention appliances, Parker said.

The upgrade will work with all IntruShield products going back to the appearance of the product after the base technology was acquired when McAfee bought a company called Introvert.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *