Arbor Networks' Peakflow Adds Mitigation And Geography-Based Detection

Arbor Networks' latest release of its flagship PeakFlow SP DDoS detection and mitigation and network management product offers geo-political IP alerting on traffic spikes from suspect countries and IPv6 BGP support for greater visibility into traffic flows. With Peakflow SP 5.5, Arbor is also offering a stand-alone version of its Threat Management System appliance, allowing carriers and enterprises to rapidly deploy DDoS mitigation in the face of attacks.

Arbor is one of a handful of companies, including vendors such as Lancope, Q1 Labs and Riverbed Technologies (with the acquisition of Mazu Networks in 2009) that employ network behavior analysis to detect security issues, primarily by analyzing network flow telemetry. Increasingly, this technology has served both security and network operations, although Arbor has made anti-DDoS capability its primary focus.

There's plenty of market opportunity for DDoS detection and mitigation, "just by virtue of the growth in DDoS attacks, and both in number and volume," said Jennifer Pigg, VP for Yankee Group's Anywhere Network Research Group.

Arbor uses a combination of network flow analysis, deep packet inspection and attack fingerprints, looking for anomalous behavior that could signal an attack. The geography-based detection allows Arbor to alert a carrier or enterprise when heavy volumes of traffic are coming from an unexpected country, one that they typically do little or no business with. This is also useful in establishing a baseline of normal traffic when the product is deployed. Peakflow can also detect unusual volumes of outbound traffic going to certain countries that would indicate host machines that have been compromised by bots. Pricing for Peakflow SP 5.5 starts at $58,000, for stand-alone Threat Management System, $53,000.

Arbor reports it tracked more than 350,000 DDoS attacks in 2009. The reasons can be traced to expanded motivation and the increased availability of botnets, said Rakesh Shah, Arbor  director of product marketing. "Motivation and increased firepower are a powerful combination," he said."It's not just hackerism," said Pigg. "We've seen very focused attacks out of Pakistan, out of China, out of Iran; some have been very thinly veiled government sponsored attacks." Political and protest groups, and competitive rivals are also responsible, according to both Shah and Pigg.

Arbor introduced IPv6 support in last release, but the BGP support will enable service providers that launch IPv6 services to look at Autonomous Systems Numbers (ASNs) to get better visibility into where traffic is coming from. The new release also supports four-byte ASNs, coming into use as the pool of 2-byte ASNs are depleted. The 5.5 release also features infected host detection and infected subscriber reporting.

The stand-alone TMS appliance offers DDoS mitigation without the detection and network analysis capabilities of the Collector Platform (CP) the other major component of Peakflow SP. The most immediate market will be Cisco customers, who are in need of a DDoS mitigation tool since Cisco announced the end of life for its Guard product.

In addition, Shah, said, some ISPs use their own detection methods or know that certain customers are frequently under attack and need to deploy mitigation. Smaller online properties might just want TMS to respond when they are under attack.

The ability to deploy TMS mitigation technology rapidly is a plus for Arbor as well, said Yankee's Pigg. "The customer rolls of Arbor are littered with 'let's close the barn door customers," she said. "Customers come to them when under attack or they have just suffered attack. They want something that can quickly be implemented while they look for something more comprehensive."