McAfee, a division of Network Associates Inc., announced Monday that it is teaming with anti-Denial of Service (DoS) companies Mazu Networks Inc., Asta Networks Inc. and Arbor Networks Inc. to develop a method of stopping DoS attacks. The initiative will aim to identify when networks are under attack, but also to determine whether the systems involved in the attack are acting knowingly, or whether they've been taken over and are being used by attackers, McAfee said.
The effort will see all four companies sharing research, expertise and data, said Stefan Savage, chief scientist at Asta Networks. McAfee will offer the companies a wealth of forensic data about the structure, code and behavior of worms and viruses, whereas Asta will be able to offer network level data and tracking, he said.
Work resulting from the partnership will "tie these two pieces (forensic and tracking) of the puzzle together," Savage said, adding that it will also "let us both characterize attacks better and prescribe better defenses."
Sharing this information will aid both the companies and their customers as "it will be of overall benefit to all of us that we're all informed about what's going on," he said.
The partnership will not only see the exchange of data, but will also lead to updates and added features in existing products, according to both Savage and Vincent Gullotto, senior director of McAfee's Avert Labs.
"We're developing technology that will eventually end up in our products as they are today," rather than in new products, Gullotto said. The first fruits of this work should start to appear within six months, he said.
Arbor, Mazu and Asta are all direct competitors in the anti-DoS market. Savage, however, has no qualms about working and sharing data with his rivals.
"There's a big difference between sharing the information and being able to use it," he said.
No matter who is able to use what information, though, all sides stand to benefit, he said.
"The value of this relationship will come down to how much each side puts in," Savage said.
McAfee also said Monday that it will add features to its line of antivirus products that will allow users to identify, block or eliminate programs that would allow an attack to take over the user's computer for use in a DoS attack.
Such programs, installed on users' computers by attackers or through e-mail or Web-based worms, turn the systems into "zombies," machines that can be taken over without their owner's knowledge. The Code Red II worm, which emerged in early August as variant of the original Code Red (though it is actually related in name only), installed a backdoor in infected systems which would allow an attacker to gain access to and control over them. Once such machines have been taken over, they can be used in DoS attacks, like those that knocked Yahoo Inc., eBay Inc., Amazon.com Inc. and other sites offline in the winter of 2000.
McAfee said that updates to its antivirus products will allow for scans of incoming HTTP (hypertext transfer protocol) traffic to eliminate such programs.
The first McAfee product that incorporates the HTTP scanning technology is the company's recently-released WebShield e500 Gateway device, said Tony Thompson, public relations representative for McAfee. Other McAfee hardware and software offerings will have the new technology added in their next upgrades, he said.