Botnet or human? Black Lotus service sorts them out to block DDoS attacks

Black Lotus is pulling the wraps of a distributed denial-of-service-mitigation service that uses behavioral factors to pick up on low-volume botnet attacks that nevertheless can cripple Web servers.

Called Protection for Services, the offering runs customer traffic through proxies that employ human behavior analysis to discover and temporarily block offending IP addresses, says the Black Lotus President Jeff Lyon.

THREAT: Denial-of-service attacks are on the rise, anti-DDoS vendors report 

PRIMER: How cybercriminals and hacktivists use DDoS tools to attack 

Those IP addresses are blocked for an arbitrary time, but not permanently black-listed, Lyon says. That's because the block list resides in in-memory cache for the sake of performance, but since that memory is limited addresses are dropped over time. The time frame is arbitrary so blocked addresses are released gradually; dumping them all at once could result in a flood that affects server performance, he says.

The company competes against Arbor, Prolexic, Staminus and Verisign.

To enable the service customers redirect the DNS for their Web servers to virtual IP addresses at Black Lotus's operations center in Los Angeles, where the traffic is screened before being proxied on to customers' actual servers. Black Lotus caches customers' static Web content, which improves response times much as a content-delivery network might.

By analyzing the Layer 7 behavior on connections to Web servers Protection for Services software determines whether it was made by a person on a computer or by a botnet. It uses factors such as past history of that machine and the pattern of behavior as it moves through the site. For example, repeatedly requesting the same content would raise a flag. Lyon claims that instances of false positives are "statistically non-existent."

Other DDoS mitigation methods use packet headers, rates and signatures to spot malicious connections.

The service is meant to augment traditional mitigation schemes, which could knock down, say, 90% of a gigabit DDoS flood, but that still leaves 1M bit of attack that is enough to knock a server offline, Lyon says.

Some of these attacks are hard to detect because a botnet with 200,000 drone machines might be back-ending them but using just 30 connections per hour so no pattern of attack from a single machine becomes apparent, he says.

Black Lotus has been selling the service since 2009 but hasn't advertised it because it was applying for a patent on the technology behind it, and now a patent is pending, Lyon says. The company also resells the service through other service providers, and has about 400 customers, most of them either partners, resellers or wholesalers.

While the company does sell directly to end-user businesses, its business model is to be a backend provider, Lyon says.

The service costs $1,000 per month for the first server to block up denial-of-service traffic up to 10Mbps. After the initial server additional servers can be added to the same instance of Protection for Services at $100 per month.

If attacks burst over 10Mbps, Black Lotus notifies customers who can then choose to do nothing, null route the Web server or upgrade to Mitigation Critical service that blocks attacks larger than 10Mbps.

The service is designed for small and midsize businesses, but not enterprises because it becomes more cumbersome to close a deal in larger organizations, Lyon says.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place