Sharktech, one of the earliest providers of DDoS mitigation services continues to forge ahead into enterprise space, providing security solutions to its customers around the world, including to numerous state agencies. We recently got the chance to talk to CEO Tim Timrawi about his business and some of the latest trends impacting the security space. A big thanks to Tim and his executive staff for the interview.
Tell me about your background, Tim, and how you came up with the idea for Sharktech.
We initially started in the hosting business in 1996. It was pretty simple back then and I noticed that there was no viable solution out there for hosting customers to help them mitigate DDoS attacks effectively. There were very few options and the specialty security appliances at that time was very limited in capabilities. Then in 2002-2003, we decided to start developing our own home-grown system that could handle DDoS attacks. We launched one of the very first DDoS Mitigation services in 2003. The rest is history.
Can you tell me about your infrastructure and is your technology designed in house?
We try to host all our sites at a neutral location and originally our scrubbing center was in Chicago. Now we have four-Denver, Chicago, Los Angeles, and Amsterdam. We use the data center that is geographically most strategically located to the attack. Once the attack is detected, we deploy in-house built scrubbing technologies. The difference between us and the big name in-house systems is that we can handle new patterns of attacks and inspect for new attacks instead of waiting for third parties to report the attacks to us and come in to put in solutions for attacks.
Do you offer threat detection analysis to your customers?
Yes, we inform them of new threats and will scan for any new threats for all our customers once we are informed of them. We let any of our customers that is also vulnerable or a victim know.
Is your focus mainly on DDoS mitigation?
Primarily, yes. We started with DDoS protection services and have grown from there, specifically from the layer 2 level, and then expanded our security stack across more layers. Many companies have come into the market in the last 6 years with DDoS protection services that put an appliance on the edge and hope everything goes fine. We started from layer 2 on the switch rack side all the way up to the edge of network.
What layers do you protect?
Up to application layer, but we try to avoid going to application layer. We try to bring mitigation down to layer 3 and 4 and address as much as possible at lower levels. We only do application layer mitigation when needed. We have noticed that many attacks can be handled at these lower levels, though there are still many others that must be handled on the application layer.
Do you offer web application firewall services?
We do not at this moment, but we are looking into it. We have noticed lately that the application layer software has been developed excellently to mitigate attacks and less and less is needed on our side. However we do provide the service. We do not, however, want to offer an a la carte product to avoid having to change the structure of the product to fit each individual customer and application.
What kind of attacks are you seeing? Multiple layer attacks? How long do the attacks last and what size are they?
Usually we see at least two types of attacks coming in at same time and they are both volumetric and on the application service layer. The volumetric attack is filtered out almost instantly. The most common attack seen lately is an application layer attack. This is becoming a very common attack method because of its cost-effectiveness. Many sites are providing attack information for the “bad eggs” to use against companies. Many attacks are more than 70Gbps, especially when multiple simultaneous attacks are incorporated. Attacks are reaching higher volumetric level than they ever used to.
What about a huge 80Gbps attack for a month at a time? Who pays for that bandwidth?
We have never seen attack go more than 5 or 6 days and certainly not a huge attack for that long. Usually we can tell the origination site and after a couple tries, they give up. Attacks that last 10 days account for maybe less than 2% of attacks. Anyone with that size of botnet that has capability to go 80gbps, has it as an asset. Keeping that attack going on for long period of time will alert the PoP at the origin of the attack and they will stop them because the PoP doesn’t want to pay for it either. The attacker is risking losing resources they already have.
How do you price your product? Per capacity?
We use a flat rate. It always has been. It feels immoral to use a size-based model because you can go in and try to find attacks to get more money. There are two tiers, though. The standard tier is up to 20Gbps. On this level, with as little as one hosted server, we provide DDoS mitigation. We also provide second level IP up to 100Gbps in which we use handicaps to announce the attack to all 4 of our data centers and then back to service provider. For this tier, another IP address is an additional $1500/month.
How many employees do you have and what VC investment have you seen?
We are not interested in funding from the outside and have not been pursuing it. If something comes in, we will consider it. We have 15-20 employees.
How easy is it to sign up for your service?
Once you sign up online, you will have service within 6-12 hours. All servers and IP addresses instantly have DDoS protection service. We are there to help with mitigation if an attack does occur and monitor their system when they first start with us in addition to letting them know if they have any malware or other threats already in their system. We also offer remote DDoS protection to that businesses, hosting providers, and internet service providers do not have to migrate, but can still get Sharktech protection using GRE BGP and Anycast.
So you offer 24/7 service and your materials to mitigate and resolve attacks are proprietary?
Yes. 24/7 service and all internally developed systems. Our staff are DDoS experts that are always available. From monitoring to detecting for systems that we host as well as the detection of the types of attacks launched and the filters that are implemented all are internally developed.
So do you have a bigger focus on DDoS mitigation, hosting, or cybersecurity?
When we started, we just did DDoS mitigation. Then there were many changes in market and now we have to redefine what services we want to provide. We provide DDoS protection that with a hosting service, and that is the most simple that I can make it. We are working to define ourselves in this marketplace.
What do you think about big CDNs buying security companies?
It’s excellent. There has been a lot more focus on this market in the last 6 years. I remember when we first started and products were almost unavailable, pricing was way beyond reasonable, and now there is more competition and creativity. In general, competition is healthy for business and helpful for community.
Finally, do you have any plans to offer caching?
Right now we are focusing on infrastructure level DDoS attacks. We are launching this for companies that don’t need more infrastructure to help them. Once we complete and successfully launch our DDoS mitigation for clients that we are not hosting, we are already looking into developing something on the application layer.