Shape Security develops world's first "botwall"

Jan 23, 2014 by Bob Yirka weblog

(Phys.org) —Newly created company Shape Security has announced new technology aimed at combating botnets. Called the ShapeShifter, the product helps protect website owners against website breaches, most specifically from denial-of-service attacks.

Botnets have been in the news a lot lately, due to their apparent ease in shutting down well known sites. Thus far, they have been notoriously difficult to stop because of the way they operate—using polymorphism—where code is changed on the fly to prevent it from being identified. Botnet creators take advantage of unsuspecting users to build large networks of computers, all of which attempt to access a site at one time, causing it to be overloaded, thus preventing others from using the site for legitimate purposes. Shape Security says their turns polymorphism back onto such attacks by using the same technique locally on each .

In order for a botnet to succeed, all of the computers attempting to access a single web site have to look for a common set of symbols or commands that are instigated when web access is attempted. Shape Security has built a roadblock to this approach by causing the computers that access a website to see different information each time they attempt to access the site. Thus, there is no common code for the botnet machines to look for, which means, they won't be able to identify the site they are trying to attack, or to access it if found—denial-of-service attacks are averted.

This video is not supported by your browser at this time.

Shape Security claims that the added code to a web site won't cause any noticeable delays to the user interface (or how it appears) and that it works against other types of attacks as well, such as account takeover, and man-in-the-browser. They note that their approach works because it deflects attacks in real time whereas code for is changed only when it installs (to change its signature).

ShapeShifter is currently being sold to website owners as a hardware device, though Shape Security says a cloud based application is under development. Because of the enormous amounts of capital invested by the company in inventing a whole new way to battle web , the cost for each device is believed to be in the millions. For that reason, at least initially, it will be aimed at very large corporate sites, particularly those in the banking, e-commerce and health care industries.

Explore further: Cyberattack traced to hacked refrigerator, researchers report

More information: www.shapesecurity.com/

Related Stories

Hope on the horizon for victims of DDoS attacks

Mar 23, 2011

(PhysOrg.com) -- Recently, Yuri Gushin and Alex Behar, security experts with Radware, an Israeli security firm, gave a presentation at the Black Hat conference in Barcelona, Spain, and as part of their program ...

Tech 101: How a denial-of-service attack works

Jul 08, 2009

(AP) -- Investigators are piecing together details about one of the most aggressive computer attacks in recent memory - a powerful "denial-of-service" assault that overwhelmed computers at U.S. and South Korean ...

Recommended for you

Sites stumble on to malware path with plugin exploit

23 hours ago

The numbers were not pretty. Over 100,000 WordPress websites may have been infected with malware, once again proving that where there is widespread popularity, whether in operating systems or platforms or ...

Norway probes spy equipment found in central Oslo

Dec 15, 2014

Norwegian police said Sunday they have warned politicians about possible eavesdropping of cellphone calls after several listening devices were reportedly found in central Oslo, including near government buildings and Parliament.

Identity theft victims face months of hassle

Dec 14, 2014

As soon as Mark Kim found out his personal information was compromised in a data breach at Target last year, the 36-year-old tech worker signed up for the retailer's free credit monitoring offer so he would ...

Your info has been hacked. Now what do you do?

Dec 14, 2014

Criminals stole personal information from tens of millions of Americans in data breaches this past year. Of those affected, one in three may become victims of identity theft, according to research firm Javelin. ...

New Bond script stolen in Sony hack

Dec 14, 2014

An "early version" of the screenplay for the new James Bond film was the latest victim of a massive hacking attack on Sony Pictures Entertainment, its producers said in a statement on their website Sunday.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

IamVal
not rated yet Jan 23, 2014
on it's face this is blatant ridiculousness, Likely intended as a write-off expense for large companies which are less likely to be targets of DDoS in the first place. Like a body-guard, it's more about the feeling of security than actual security.

any botnet, performing a ddos, worth it's salt, does not care what the response is from the target server. the end-client doesn't need to recieve more than the first few bytes of the header of the packet before resetting the socket, and allowing the info to dissipate into the aether... But in the interests of speed, the target servers almost always send out the entire package, header and body, all at once. If the body is an image of even 500kb spamming these request packets and not spending flops receiving the response can take down practically any server.

any well programmed botnet decodes it's instructions from a 3rd server, not the target.

and I really hate to break it to the internet-illiterate, but, if you're trying to obfusca
IamVal
not rated yet Jan 23, 2014
te a packet in a way that makes it difficult for a botnet to read, you're also making it infinitely harder for any browser to read, reducing the overall performance for the end user. Think early otts antiviruses. Most viruses did less damage than trying to run norton 24/7

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.