GREENWOOD VILLAGE, CO – October 10, 2007 – Secure64® Software Corporation, a software developer with the only Genuinely Secure™ software technology and server applications, today announced independent tests have verified that Secure64 DNS is highly resistant to DDoS attacks. Test results confirm Secure64 DNS remains 100 percent responsive to legitimate DNS queries while under both UDP reflected and non-reflected flood attacks, and significantly outperforms popular Linux/BIND DNS software when subjected to TCP SYN flood attacks.
“This study unequivocally confirms the highly secure, self-protecting nature of Secure64 DNS,” stated Mark Beckett, vice president of marketing, Secure64. “Just as important, the results show that current solutions based on BIND are vulnerable to common DDoS attacks of very small magnitudes – smaller than the size of the average Internet connection for many companies.”
ExtremeLabs, Inc. – an independent testing facility of enterprise computing system-level products – measured and compared how Secure64 DNS and Linux/BIND software responded to legitimate authoritative DNS requests while being subjected to several types of Distributed Denial of Service (DDoS) attacks.
“This comparison test showed that the Secure64 DNS software completely ignored two of the three attacks used, and behaved valiantly when flooded in a TCP SYN attack,” stated Tom Henderson, founder and managing director, ExtremeLabs. “The Linux/BIND server became unavailable quickly, and, in one of our tests, dropped like a rock under modest attack volume.”
Under reflected and non-reflected UDP flood attacks, Secure64 DNS correctly responded to 100 percent of legitimate DNS queries until the Gigabit Ethernet line used in the test became saturated with traffic. In contrast, the response rate of the Linux/BIND DNS software degraded to 90 percent under a UDP reflected flood attack volume of only 33 Mbps, and continued to degrade as attack volume increased, reaching a low of 38.6 percent responsiveness at an attack volume of 527 Mbps. Under a non-reflected UDP flood, Linux/BIND’s response rate was much worse – it deteriorated rapidly at approximately 17 Mbps of attack traffic, reaching less than two percent responsiveness at only 65 Mbps of attack traffic.
Under a TCP SYN flood attack, Secure64 DNS responded to nearly 100 percent of legitimate queries until attack traffic reached approximately 300 Mbps (300,000 SYNs and ACKs per second), and then degraded slowly to 51 percent availability when line saturation occurred at 550 Mbps. Linux/BIND deteriorated immediately in this attack, becoming effectively unavailable when attack traffic reached 220 Mbps.
Secure64 DNS Genuinely Secure Protection Reduces Need for Extra Security Devices
Not only does the performance of Secure64 DNS far exceed the level of protection provided by Linux/BIND, it also greatly exceeds the level of protection provided by commercial firewalls and the level required by Intrusion Prevention Systems to meet test approval standards. This makes Secure64 DNS an extremely cost effective alternative to traditional approaches to protecting DNS.
“Current approaches to protecting DNS involve making investments in firewalls and IPS’s, which have a high total cost of ownership,” continued Beckett. “By reducing the need for extra layers of network security devices, performance is enhanced and total cost of ownership plummets. These independent test results, combined with basic calculations, clearly demonstrate Secure64 DNS users can achieve a total savings per server system of nearly 75 percent without having to compromise on security.”
Secure64 has developed a calculator using industry-standard cost metrics to measure the costs, benefits and variables involved in security implementations. Secure64 has determined that with a typical perimeter security architecture – including a firewall and an IPS/DDoS application designed to protect three DNS servers running a Linux OS and a DNS application – initial hardware and software costs can exceed, on average, $68,000.
Conversely, a configuration consisting of two servers running Secure64 DNS software that delivers twice the performance of Linux/BIND reduces the initial investment to just over $30,000, as this “Genuinely Secure” system requires no protection from external security devices.
Even more significant is the reduction in operating costs. External operating costs for the perimeter security architecture, such as maintenance and support, cooling and power, represent another $15,000 per year; and internal operating costs of patching and hardening operating systems and managing the firewall and IPS can average over $25,000 per year in manpower. By comparison, the Secure64 DNS solution results in annual operating costs of less than $5,000 per year. Combining both capital and operating costs yields a three-year total cost of ownership for Linux/BIND exceeding $170,000, compared to just over $45,000 for Secure64 DNS.
About DDoS Attacks Used in Test
In a UDP reflected flood, compromised computers send queries to open, resolving DNS servers, spoofing the source IP address with the IP address of the victim DNS server. This floods the victim DNS server with responses, tying up its resources until it can no longer respond to legitimate queries. UDP non-reflected floods typically involve a number of compromised computers that direct a high volume of legitimate DNS queries to the victim server in an attempt to overwhelm it.
A TCP SYN flood attack sends many TCP connection requests to the victim server, causing it to allocate resources for each requested connection while it awaits a final connection acknowledgement, which never comes. The attack usually exhausts either CPU or memory resources, making the server unable to perform its primary DNS function.
Complete survey results and more information on Secure64 DNS can be found by visiting the Secure64 Web site atwww.secure64.com.
Headquartered in Greenwood Village, Colorado, Secure64 is a software developer providing secure, self-protecting, high performing server applications. Secure64’s core technology is SourceT®, a patented Genuinely Secure™ micro OS designed from the ground up to make the micro OS and any applications running on it immune to rootkits and malware and resistant to network attacks. Unlike conventional operating systems with insecure architectures, SourceT does not need to be hardened, patched and protected to minimize exposure to vulnerabilities. By simplifying and consolidating network infrastructures, SourceT-based applications help IT professionals reduce the costs and risks from potential security breaches while achieving unparalleled levels of reliability and performance. For more information, visitwww.secure64.com.
Vice President, Marketing
Trippe and Company
Trippe and Company