Interview with Jag Bains, CTO of DOSarrest

DOSarrest, founded in 2007 is a leading pioneer in DDoS Mitigation. They currently have 25 employees, 300-400 customers, including many government agencies, and four scrubbing centers located in Los Angeles, New York, London and Singapore, with more on the way. Besides DDoS protection, they provide Load Balancing, Vulnerability Testing, WAF, Proxy Services, and an Advanced Website Monitoring service called DEMS.

DEMS monitors website availability on a per URL basis anywhere in the world. This works especially well for companies that have dozens or hundreds of URLs under one umbrella and are using a CDN. Some CDNs won’t be able to tell you if a specific website is down or slow in some part of the world, whereas DEMS does exactly that. The cool part is that DOSarrest decided to build their WAF and DEMS platform from the ground up, opting against Mod_security, because it had too many weaknesses. A big thanks to Jag and the crew for the interview.

Who is DOSarrest and how did you come up with the idea? DOSarrest is the brainchild of Mark Teolis, the founder of PEER1 Hosting, who saw the unique challenge and need to focus on protecting against DDoS attacks. After attempting to introduce DDoS services in the PEER1 hosting networks, he left PEER1 in 2007 to start DOSarrest, recognizing that the only way to combat DDoS attacks was with a dedicated environment and team, instead of adding it to the burgeoning responsibility list of hosting NOC.

At PEER1 he observed a high number of attacks in terms of their size and severity, and was able to architect a network that would thwart such attacks, with a focus on HTTP/HTTPS (TCP 80/443), which are the primary services most attacked by DDoS attackers.

Are DDoS attacks getting mores sophisticated? Most definitely. DDoS attacks are no longer just attempts to simply fill bandwidth pipes with garbage traffic. Nowadays, DDoS attackers recognize that it’s easy to exhaust CPU resources of web servers by targeting select elements and services of a website which take up a higher load.

With their reconnaissance and knowledge of the various popular web platforms (WordPress, Drupal,, Joomla, etc.), attackers can now disrupt a site with a much smaller footprint of attack servers, or bots. They are also adjusting the attack web requests so they mimic, as much as possible legitimate user requests, which they do, via a deeper analysis of the packets headers.

Your pricing structure is very cost effective. How does it work? Our pricing structure is a fixed rate model, based on the amount of clean traffic. Attack traffic doesn’t count towards a customers bandwidth allotment, nor is there a tiered  pricing structure that specifies how much attack traffic will be absorbed, before forcing you into a more expensive package, which some of our competition do.

Our engineering team has invested vast amounts of resources in architecting an optimal platform that strictly mitigates DDoS attacks, and the experience has enabled us to create a fixed cost model, which means we pass along the savings to our customers.

Why did you build your own WAF and is it better than Mod_security? We attempted to use some open source initiatives but found that they did not scale well within a multi tenant environment. Also, they had lots of bugs. After an assessment of Mod_security, a Negative Model Firewall, we decided to go in the other direction and build our own Positive Model Firewall, which provides security to the web layer through a whitelist system, so basically anything not allowed is forbidden.

This is in direct contrast to Negative Model firewalls (eg. Mod Security) which has been more heavily adopted, but much easier to bypass; Because js/html/*sql languages are so rich, identifying a comprehensive list of deny rules is impossible, especially with zero day exploits, and Negative Models like Mod_security are insufficient.

In a series of tests we conducted, using our world-class Accunetix scanner, a vanilla configuration of the DOSarrest WAF scored 72 percent in blocking SQLi, Blind SQLi, XSS and Directory Traversals, far exceeding negative model setups, which required extensive configurations to even reach 50%

Is DOSarrest better at mitigating attacks than competitors? Many of our competitors have a core competency (e.g. CDN, Hosting, etc.) and then added DDoS protection services afterwards. The lack of strict focus results in lengthy delays when it comes to diagnosis and resolution, leaving targeted customers down for extended periods of time. Since we are focused on DDoS protection services only, we do a much better job. Some of the services we offer include the following:

  1. Our global network has numerous protection layers in place, creating a best of breed environment, engineered specifically for HTTP/HTTPS protection
  2. 24/7 Security Operations Center focused on identifying anomalous traffic signatures
  3. An internally built web performance and monitoring platform used by our SOC as well as our customers
  4. Internally development custom rule-sets and features for dealing with zero day events; we’re able to thwart all attacks types faster than our competition

How does your Load Balancing service work? Our cloud based geo-load balancing solution enables customers to set up their own origin servers in various data centers throughout the world. In addition, we provide 5 methods (Round Robin, IP Hash, Least Connections, Weighted, By Domain) that customers can use at any of our four locations (e.g. London may have a different set of upstreams using Round Robin, and Los Angeles can be using Weighted).

Furthermore,  each of these load balancing algorithms can be applied at a URI level and not just a domain (e.g.. can have it’s own set of upstreams and load balancing features from

Our Load Balancing solution is proactively managed 24/7, so our team is able to resolve issues quickly.

How do you leverage your CDN assets with DDoS Mitigation? Running a web reverse proxy, which is what all CDN’s do, allows us to leverage the caching capabilities of NGINX. DOSarrest’s CDN is highly customizable, allowing customers to specify unique cache directives on resources as granular as individual URL’s or file types.

DOSarrest is fully RFC2616 compliant, so clients can use our fully featured control panel to define and/or override a websites cache-control headers, or they can manage caching directives, via the cache control headers from the webserver. Currently, all of our customers content is cached in  Europe, North America and APAC. This is in contrast to a few CDN’s, where they may limit their cached content to only a few number of PoPs. For more detail, check it out here.

By leveraging our caching platform, we can limit the amount of connections to the origin server, saving precious CPU cycles and web server resources, which may be completely exhausted during an attack.

Do you have customers that came over from CloudFlare? What do you offer that CloudFlare doesn’t? We have a good amount of customers that changed from the CloudFlare platform to DOSarrest. These customers found CloudFlare to be expensive. Initially, when these customers signed up with CloudFlare, they signed up for the low cost plan, but later on they found out the hard way that only premium plan can mitigate the more sophisticated attack. Our pricing plans are simple, and we don’t require customers to switch plans for different types of attacks, thus we think we offer a better solution.

Digiprove sealCopyright secured by Digiprove © 2015