This company says it has a different, better method for stopping attacks on your data center.

by Alex Goldman ISP-Planet Managing Editor [May 24, 2007]

Bethesda, Md.-based RioRey makes boxes that are designed to stop DDoS floods: SYN floods, TCP hacks, ICMP, and so on.

Kwok Li, CEO of RioRey, says the company's product uses a better algorithm for stopping DDoS floods. "Currently, two technologies dominate the market," he says. "There's deep packet inspection and there's anomaly detection. We're saying that we can check compliance at the protocol level and identify specific attack streams."

The result, adds Phil Sides, manager of customer service and technical support, is that the same computer can have traffic that's allowed and traffic that's block. "If it's a zombie computer with good traffic and bad traffic, we'll allow the legitimate traffic through," he says.

The boxes
The product line is differentiated in low cost (NI) boxes and premium (RX) boxes. Boxes protect three levels of throughput: 45 Mbps, 100 Mbps, or 1 Gbps. Boxes can scan traffic in only one direction (inbound or outbound) or they can scan traffic in both directions.

The system's Rview management software runs on the box and delivers a report every three minutes. The box has a specific port for out of band management.

Li says that the system takes a minute and a half to handle a flood. "After 30 seconds, we send an alert. In the next 30 seconds, we check to see whether the attack is sustained (sometimes the attack is abandoned, and sometimes it's just noise and goes away). In the final 30 seconds, if we have identified an attack, we stop it."

He says that the system is fast enough to prevent an attack from flooding multiple links. "A system using anomaly detection could take 20 to 30 minutes, and during that time, the attack could spread across the ISP's other links."

He says his company has the same problem that any responsible ISP has: people assume that the service will work and start to take it for granted. "Soon, they even stop looking at our reporting system."

Sides adds that he's proud of the reporting system. "We have a reporting system that can generate PDFs and map attacks, and our customers just don't look at it."

Currently, the company sells mostly to clients doing webhosting, VoIP, IPTV, and to universities. Such customers have fat pipes and multiple upstreams.

Li says that network owners with latency-sensitive content are particularly pleased by RioRey, whether that content is packets from first-person shooter (FPS) games running on university networks or business VoIP calls routed through the data center.

Li adds that some companies, such as SAVVIS, perform regular network vulnerability tests and that RioRey's boxes block them. In order to allow vulnerability testing, specific IP addresses can be opened permanently or temporarily.

You can see RioRey's boxes at ISPCON. Li says he's particularly interested in talking to some fellow exhibitors and admits that the boxes will be too pricey for local ISPs—anyone who has a single upstream link or an upstream running at less than 45 Mbps.

Pricing and availability
RioRey's anti-DDoS devices are available now, starting at around $10,000 for a box handling 45 Mbps or 100 Mbps to $60,000 or more for a box handling significant throughput on a 1 Gbps link.

The company is working on a future generation of 10 Gbps boxes. The software, Li says, is ready, but the company is working on the hardware.

—End