Arbor is one of a handful of companies, including vendors such as Lancope, Q1 Labs and Riverbed Technologies (with the acquisition of Mazu Networks in 2009) that employ network behavior analysis to detect security issues, primarily by analyzing network flow telemetry. Increasingly, this technology has served both security and network operations, although Arbor has made anti-DDoS capability its primary focus.
There's plenty of market opportunity for DDoS detection and mitigation, "just by virtue of the growth in DDoS attacks, and both in number and volume," said Jennifer Pigg, VP for Yankee Group's Anywhere Network Research Group.
Arbor uses a combination of network flow analysis, deep packet inspection and attack fingerprints, looking for anomalous behavior that could signal an attack. The geography-based detection allows Arbor to alert a carrier or enterprise when heavy volumes of traffic are coming from an unexpected country, one that they typically do little or no business with. This is also useful in establishing a baseline of normal traffic when the product is deployed. Peakflow can also detect unusual volumes of outbound traffic going to certain countries that would indicate host machines that have been compromised by bots. Pricing for Peakflow SP 5.5 starts at $58,000, for stand-alone Threat Management System, $53,000.
Arbor reports it tracked more than 350,000 DDoS attacks in 2009. The reasons can be traced to expanded motivation and the increased availability of botnets, said Rakesh Shah, Arbor director of product marketing. "Motivation and increased firepower are a powerful combination," he said.