Arbor Networks Offers Enterprise Data Center Appliances To Counter Application-Based DDoS

Arbor Networks is introducing a new line of appliances designed to protect Internet-facing enterprise data centers against application-layer distributed denial of service (DDoS) attacks. The Pravail Availability Protection System (APS) family of appliances complements Arbor's network-based Peakflow appliances, which are primarily sold to carriers and service providers.

The Peakflow appliances are designed to detect and mitigate traditional high-volume DDoS attacks, such as SYN floods, which service providers are well-positioned to deal with. However, more targeted, application-layer attacks go after the enterprise web server. Detection requires inline packet inspection, which would be prohibitive in terms of cost and possibly performance for massive volumes of network traffic at the carrier or ISP level.

"There's been an uptick in application-layer attacks; they have a similar objective to high- volume attacks, to inundate resources so they don't function," says Michael Suby, director at Stratecast, a division of Frost & Sullivan. "Attacks are going up in total, and neither type is going down."

Application-layer attacks can't be detected with network-based anti-DDoS technologies because they don't meet the bandwidth thresholds for anomalous traffic volume. They fly beneath the threshold of requests served by a web server, Suby says, and exploit certain types of requests that are consuming resources.

Enterprises have a number of anti-DDoS options, including buying excess bandwidth from their providers to meet surges in demand, as well as to absorb the impact of attacks. In addition to network-based protection from ISPs, enterprises can purchase focused anti-DDoS services from companies such as Verisign.Arbor joins an inline appliance anti-DDoS market that includes companies such as Top Layer, IntruGuard and RioRey. Suby also noted that TippingPoint offers anti-DDoS capabilities in its IPS line. And F5 has built anti-DDoS capabilities into its application-delivery platform.

Global threat research is a key for Arbor, says Rakesh Shah, director of product marketing and strategy. Arbor has a number of global honeypot or sensor networks, which feed information to its ACERT research team.

"We are constantly detecting new DDoS malware families," he said. "The research goes into the ATLAS Intelligence Feed, which is unique to Pravail since it is actually inspecting the packets." The Intelligence Feed automates identification of botnet-borne attacks and automatically delivers threat updates, including geolocation data.

Arbor also unveiled its cloud-signaling technology, a protocol that enables Pravail to automatically send a signal from the data center to its ISP--assuming the provider is using Arbor's Peakflow network-based appliances. Shah said this cuts the lag time that's typical when an enterprise comes under attack and contacts its provider to mitigate.

The market for inline anti-DDoS appliances such as Pravail will largely be centered on gambling and gaming sites, which are subject to relatively frequent attacks, Suby says. These companies are often subject to extortion demands, either after an attack or threatening one. Some online gambling and gaming companies have been known to launch attacks to disrupt competitors. High-volume financial services and retail companies would be other possible customers, but, generally, anti-DDoS products or services come under the heading of insurance-type purchases."It's not a top security priority," Suby says. "Most companies won't make investments unless they have an attack, and even then they may be reluctant to purchase, thinking it won't happen again. The price hasn't come to the point of being attractive to a broad set of enterprises."

Arbor is initially selling a 2Gbps appliance with a manufacturer's suggested retail price of $65,000, the first of four models going up to 10Gbps. 

See more on this topic by subscribing to Network Computing Pro Reports Research: WAN Security (subscription required).