a new way to prevent botnet attack

Arbor White Paper

Protecting IP Servicesfrom the LatestTrends in Botnetand DDoS AttacksGlobal Insights, Detection Strategiesand Mitigation Methods

Arbor Networks, Inc. is a leading provider of network security and management solutions for enterprise andservice provider networks, including the vast majority of the world’s Internet service providers and many of thelargest enterprise networks in use today. Arbor’s provennetwork security and management solutions help growand protect customer networks, businesses and brands.Through its unparalleled, privileged relationships withworldwide service providers and global network operators,Arbor provides unequalled insight into and perspective onInternet security and traffic trends via the ATLAS® ActiveThreat Level Analysis System. Representing a unique collaborative effort with 230+ network operators acrossthe globe, ATLAS enables the sharing of real-time security,traffic and routing information that informs numerousbusiness decisions.

About Arbor Networks

1

Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks

Victims of these crippling and widespread Internet-basedattacks include Internet service providers (ISPs), enterprisesand broadband subscribers alike. To make matters worse,Internet service subscribers are often unknowing participantsin the proliferation and execution of many such attacks. Thisoccurs when hackers covertly pirate subscribers’ high-speedconnections and compromise their PCs—turning them intozombies that form a huge army of malicious botnets. Remotelycontrolled by hackers, these botnets wreak havoc throughoutthe Internet by executing all kinds of malware and DDoSattacks. According to a recent study from Arbor Networksentitled “Worldwide Infrastructure Security Report, Volume III”(www.arbornetworks.com/report), botnets and DDoS attacksare the top concerns of today’s Internet services providers.Together with large-scale malware, these threats canseverely compromise an ISP’s core equipment, resourcesand business-critical IP services.

Emerging technologies introduce additional vulnerabilitiesthat put today’s networks at even greater risk of securitythreats. Service providers around the world, eager to obtainthe operational and competitive advantages of new technicalinnovations, are accelerating their deployment of networksbuilt on high-speed fiber optics and IP-based services, suchas MPLS, IPTV, VoIP and VPN.

Although there clearly is a broad range of benefits availablefrom these new networks and services, there is an equallybroad range of security threats that can seriously curtail oreven wipe out those benefits. Service providers recognize thatif they are to realize the promise of next-generation IP-basedservices, they must understand the nature and power of theircyber-enemies. Armed with this knowledge, providers can deploythe necessary solutions designed to defend their networks andservices from the threats that are out there today—and theones that surely will emerge in the future.

Deliberate attacks on service provider networks are, and willcontinue to be, a major headache for ISPs and their customers.The U.S. Federal Bureau of Investigation (FBI) estimates thatcomputer crime costs American companies alone a staggering$62 billion a year.

For each of the last three years, Arbor Networks hasconducted a survey of service providers in North America,Europe and Asia to determine their experiences with securitythreats. This section provides subjective data from this survey(Worldwide Infrastructure Security Report, Volume III) inconjunction with objective findings from the Arbor SecurityEngineering and Response Team (ASERT), a world-renownedgroup of security engineers and researchers dedicated tomonitoring Internet threats on a 24/7 basis. ASERT minesand correlates up-to-the-minute global security data, continuallyanalyzing it to detect and qualify developing Internet threats.

DDoS Attack and Botnet Trends

Distributed denial of service (DDoS) attacks first made the news in February 2000

and have maintained a high media profile ever since—a fact made evident by the

following headlines:

“Amazon.com, eBay, Yahoo Crippled by DoS Attacks” — February 2000

“Massive DDoS Attack Hits Internet DNS Root Servers” — October 2002

“MyDoom Becomes the Internet’s Fastest Spreading Worm Ever” — January 2004

“Top Threats in 2006: SQL Slammer & Blaster Worm” — October 2006

“Storm Worm Rages Through Internet Over the Weekend” — January 2007

“Cyber Attacks on Estonia” — May 2007

2


DDoS Attacks Continue to Grow in Sizeand FrequencyAccording to data received from the survey, there has been a140 percent increase in the size of the largest detected DDoSattack over the last three years. In 2007, the largest observedsustained attack was 24 Gbps, compared to 17 Gbps in 2006.Thirty-six percent of the surveyed ISPs reported that they hadobserved attacks of over 1 Gbps in 2007. This is significantbecause most Internet backbone links are 10 GB and enterprisecircuits are multi-gigabit in size.

Additionally, Arbor research conducted from September 2006through August 2007, a period of 321 days, revealed thatthere were 362,394 DDoS attacks—an average of 1,128attacks per day.

DDoS Attack ProtocolsWhen asked in the survey “Which protocols were being usedfor the largest attacks, considering both packets-per-second(pps) and bits-per-second (bps)?” the responses were:

Largest Attacks (bps): Forty-three percent of the attackswere UDP floods (e.g., Smurf attacks or ICMP floods),19 percent were application attacks (e.g., sending malformedDNS packets or opening excessive HTTP connections) and18 percent were TCP SYN attacks.

Largest Attacks (pps): Forty-one percent of the attackswere UDP floods, 26 percent were TCP SYN attacks and17 percent were application attacks.

Statistical data recently released by ASERT matches someof the survey responses:

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

Gbp

s

100

90

80

70

60

50

40

30

20

10

0

Figure 1: Largest Bandwitch Attacks ReportedSource: Arbor Networks, Inc.

Largest Bandwidth Attacks Reported

TCP SYN 15.53

IP Fragment 14.41

TCP Reset 6.45

Private IP Space 1.22

IPNULL Protocol .78

TCPNULL Flag .57

DNS .23

Attack Subtype Percent of Total Attacks

3


ASERT continues to see dramatic activity in this realm, withthousands of attacks occurring daily. Below is an excerpt ofASERT’s analysis of the above statistics.

• Transmission Control Protocol (TCP) attacks continue todominate the DDoS landscape, being both powerful and easyto launch. Attackers continue to favor this attack for its efficacyagainst a wide variety of services and hosts, providing both abandwidth-exhaustion attack as well as a system attack onthe host OS and application.

• Although the number of DNS-based attacks (including DNSreflective amplification attacks) has increased, these attacksstill have not grown to the level of popularity of commonvectors, such as IP NULL protocol attacks.

• Despite the relatively low prevalence of DNS-based attacks,there was much concern in the past year about DNSamplification attacks. But aside from a spike in March 2007when their prevalence matched that of ICMP attacks, DNSattacks have been relatively infrequent. It is hard to say atthis time if this is an actual relative prevalence or if this isdue to the emerging deployments of sensors capable ofclassifying and mitigating DNS attacks.

Botnets Are a Top Concern for ISPsBotnets, a major problem identified by ISPs, continue to plaguethe Internet. In fact, botnets are considered a growth sectorwithin the attacker underground, with new code bases, usesand operators frequently appearing. For ISPs and networkoperators, botnets represent a multi-faceted threat. First, theyremain a major source of DDoS attacks. Secondly, they havebecome a serious source of spam email traffic, which burdensthe email processing infrastructure of all providers. Finally, thescanning and attack activity of a large botnet can disrupt normalnetwork operations and cause outages. For all these reasons,most ISPs are concerned with largescale malcode, mostcommonly embodied in botnets.

Not surprising, much of this concern was corroborated byrespondents of the survey. When asked “What types of threatsare you most concerned with?” botnets and DDoS attackstopped the list. The survey results were:

Primary Concerns: Twenty-nine percent of ISPs said botnetsand 24 percent said DDoS.

Secondary Concerns: Thirty-one percent said botnets and20 percent said DDoS.

ISPs observed that botnets were used for:

• DDoS attacks (71 percent)

• Sending spam (64 percent)

• Parts of phishing systems (37 percent)

• Open proxies (34 percent)

• Storing ID theft information (16 percent)

• Other (6 percent)

According to survey respondents, these new botnets exhibitedthe following characteristics:

• They were smaller but more targeted, effective and organized.

• They employed protected and deployed encryption, peer-peerand MD05 SHA-1 counter reconnaissance.

• They were distributed in nature, making the attacks more com-plicated and the location of the master controller more difficult.

Botnet Growth PatternsRecent ASERT research shows that botnet server lifetimesfall into a very specific pattern commonly referred to as along-tailed distribution. The data from this research clearlyindicates that most botnet servers—nearly 65 percent—arefound and disabled within the first day of their operation. Thissuggests that there are very effective networks for gatheringinformation about new botnets and sharing it with the rightnetwork or system operators. It is this communication thatleads to disabling the host with the botnet IRC server. Overall,if a botnet is able to make it past the first day, it has a fairchance of surviving for several months or more. Research alsoshows that some botnets remain active for nearly a year. Thefact that known botnets can operate for this long should bea call-to-arms for all ISPs.

Apart from a few bursts of activity, between 10 and 20 newbotnet servers are found every day. Factoring in the number ofsuch servers disabled daily, approximately 1500-1800 botnetservers are currently active—a number that is slowly rising. Thistrend is likely to continue as the number of IRC botnet serverskeeps growing for the foreseeable future.

Botconomics: The Underground Economyof BotnetsThere are many reasons for a miscreant to initiate a botnetattack. Some attacks have religious or political motivationbehind them. Some are simply ego-driven as professionalhackers or script kiddies compete to see who can cause themost damage by infiltrating the biggest and most secure sites.With that said, the most serious attacks usually have financialgoals in mind. Extortion, stealing money from compromisedonline bank accounts, luring innocent users to phishing sites,the illegal use of stolen credit cards—these are commonresults of botnet attacks. In fact, there is an undergroundeconomy emerging to support the building, selling and buyingof botnet attack tools, an economy that Arbor Networks hascoined “Botconomics.™”

Botconomics is fueling the rapid growth of the botnet world.The simple motivation behind the rise in botnets is money.Years ago, hackers had to be technically savvy and know howto write code to initiate an attack or create a botnet. Today,they can buy and sell that code in online markets, which arelikened to traditional underground markets. In fact, there aresuch online communities available to anyone who earns theirtrust—usually demonstrated by getting a certain quantity ofstolen credit cards, bandwidth or email addresses to buildstreet credibility. ASERT has uncovered numerous siteswhich boldly market their botnets and booty.

Here are some examples of common advertisements andrelated costs:

Often these disreputable sites advertise their botnets viadiscreet email campaigns. A recently discovered email toutedbotnet servers that provided:

• Excellent ping and uptime

• Rotating IP addresses

• Different ISPs

• Intuitive user interface

• Online technical support

• SLAs: 100 percent uptime guarantee!

Botnets and attack code continue to evolve as the cat-and-mouse game between hackers and security vendors reachesnew levels. Today’s hackers are even writing code to evadecurrent AV databases, disable auto-update functions andevaluate botnet connectivity speed and availability.

4


.net Domain Names $0.05

nasa.gov Domain Names $0.05

Proxies $0.50 – $3

Credit Cards $0.50 – $5

Email Passwords $1 – $350

Email Addresses $2/MB – $4/MB

Compromised UNIX Shells $2 – $10

Social Security Numbers $5 – $7

Mailers $8 – $10

Scams $10/week

Full Identity $10 – $150

Bank Accounts $30 – $400

Item Range of Prices

5


Why is the number, frequency and intensity of infrastructurethreats rising?

Over the last three or four years, the hacker/miscreantcommunity has recognized that it is sometimes far moreeffective to go after the infrastructure than the end systems.So the attacker targets a particular Web site based on hispersonal or financial motive. Maybe it’s a gambling or porn site,an online bank or some other cyber community that hasn’tbent to his wishes or paid his [extortion] demand. By actuallyattacking the infrastructure, whether it be upstream routers,upstream interfaces or even things like the routing protocols,the attacker can be very effective in taking that institution offthe network. In fact, that is sometimes easier than trying toattack an individual PC or workstation.

Managed security services is clearly a growth market.Yet some enterprises may be reluctant to outsource theirsecurity. Generally speaking, who is best positioned toprotect enterprise networks—the service provider or theenterprise itself? Or is the ideal protection an approachbased on mutual cooperation between the two?

We are seeing a lot of interest in the latter. If the serviceprovider is your internal network, then it makes sense forthe service provider to offer internal security. In fact, thereare some things only the provider can do. For example, largebandwidth attacks need to be blocked within the provider’snetwork. So it does make sense for many of these servicesto be offered in the cloud, where they can be scalable andprovided more effectively.

Are service providers and their customers to be relegatedforever to the reactive mode? Or will they at some pointbe able to take the offense and go after would-be attackersbefore they attack?

Just like in banking, security is crucial to service providers andtheir customers. But I don’t walk into my local bank and worryabout whether there’ll be some type of event while I’m there.I don’t worry about my money being safe in the bank. It’s notthat bank robberies don’t happen, it’s just that there’s enoughinfrastructure in place that it’s not a daily concern. And I payfor that as a consumer—for the doors, the vaults and all theadditional security. It just becomes part of daily life. It’s oftensaid about security that it’s always a trade-off with usability.The Internet is no different.

Today, a large number of folks out there are paying for networksecurity features including DDoS protection, which most majorservice providers offer. These security features are either builtinto the basic price or there is a small additional fee. For themost part, it’s mostly a solved problem—at least for the moment.We aren’t seeing major sites like eBay, Yahoo! and Amazoncoming under attack today like we did back in 2000. But it’s acycle, like anything else. We’re entering a period of increasedrisk now as ISPs deploy advanced new services, next-generationnetworks, VoIP, convergence and other innovations—giving riseto more sophisticated zombie armies along with increased botcommand and control. So the cycle continues.

Question & Answer Session

Dr. Craig Labovitz

6


Multiple Advantages of In-Cloud Security

As a result, it is imperative that ISPs have the proper level ofcost-effective, pervasive visibility into all network traffic in orderto ensure the optimized delivery of next-generation networkservices. This visibility must penetrate all portions of an ISPnetwork (including its backbone, peering and transit points,and customer aggregation edges) and cover all layers of thecommunications stack (extending from the physical layer,to routing and ultimately to the application-layer).

But pervasive visibility alone is not enough. ISPs also requireintelligent visibility into their networks in order to:

• Determine what’s “normal” versus “abnormal” network activity

• Conduct BGP route analytics for traffic engineering

• Identify the most cost-effective transit/peering relationships

• Analyze customer traffic for new service opportunities

• Detect and mitigate threats before they impact IP servicesand customers

In this day and age when cyber-crimes and attacks requirelittle expertise, enterprises and ISPs are even more vulnerableto Internet-based threats, such as botnet and DDoS attacks. Italso is becoming increasingly obvious that threat detection andmitigation can only be done effectively—both from a cost andperformance perspective—from within the service provider’snetwork. Such “in-cloud” security services can deliver multiplebenefits, namely:

Enterprise DDoS ProtectionEnterprise customers continue to rely on their ISPs forbusiness-critical functions such as e-commerce, VoIP, B2Bconnectivity, telecommuting and even back-end systems likeCRM (e.g., Salesforce.com). The disruption of these servicescan have a major impact on business continuity. Manyenterprises are also beginning to realize that the high costand low effectiveness of some in-house security systemsdo not make sense—specifically in the case of DDoS attacks.Therefore, some enterprises are now taking a “layered” approachand relying on their ISPs for in-cloud DDoS protection servicesto detect and mitigate such attacks before they jeopardizebusiness continuity.

New Revenue Opportunities for ISPsWhile some ISPs have looked at DDoS attacks as a curse,others have seized the opportunity to differentiate themselvesand generate new revenue streams from managed securityservices. In fact, according to Arbor Networks’ WorldwideInfrastructure Security Report, Volume III, the number ofsurveyed ISPs who offer managed security services jumpedfrom six in 2006 to 40 in 2007. Below are some examplesof in-cloud DDoS protection services being offered byvarious service providers around the world today:

• Belgacom: Clean Internet Services

• British Telecom (BT): Managed DDoS Services

• Cable & Wireless: Anti-Distributed Denial of Serviceand Secure Internet Gateway/DDoS Protection

• COLT: IP Guardian

• Rackspace: PrevenTier

• SAVVIS: Network-Based DDoS Mitigation

• TELUS: Managed DDoS Prevention

• The Planet: Peakflow® DDoS Detection

• Verizon Business: DoS Defense Detection and Mitigation

IP Service Assurance for ISPsIn-cloud DDoS detection and mitigation capabilities are notonly new managed service opportunities for an ISP, but theyalso serve as network infrastructure protection systems thathelp maintain the quality of business-critical services, suchas BGP routing, DNS and Triple Play. Specifically in the caseof Triple Play services, ISPs must maintain a minimum qualityof service (QoS) and reliable performance or risk losing theircustomers to the competition. Botnet and DDoS attacks candramatically impact the performance and customer-perceivedquality of these services. It is imperative, therefore, that ISPshave the means to provide in-cloud security services that canquickly detect and mitigate network-based threats.

As botnets and DDoS attacks continue to increase in size, frequency and complexity, they

impact not only their target victims, but also the network infrastructure of ISPs that are,

unfortunately, the conduit for these attacks.

7


With their networks and services under

constant attack by an ever-growing rogue’s

gallery of spammers, phishers, bot herders

and other miscreants, service providers must

invest more and more resources to secure

their networks, reputations and profits.

To better understand and visualize complex networks,advanced security solutions such as Peakflow SP (“PeakflowSP”) use relational modeling to learn about a wide range ofrelationships on the network. Rather than taking the traditionalapproach of studying traffic only at a single point in thenetwork, these solutions build an internal model of normalnetwork conversations between/among many differentnetwork participants, including customers, departments, partners,peers or even the Internet as a whole. After determining the“normal” state of network operations, these security solutionsapply various types of algorithms to detect any anomalies inthe network.

Built-in anomaly detection capabilities enable solutionssuch as Peakflow SP to evaluate potential threats againsta service provider’s or enterprise’s unique networkbaseline, virtually eliminating false alarms and making fast,accurate determinations. In addition, because these solutionsare constantly learning, they do not require the same levels oftweaking and configuration that characterize many networkingand security technologies. With extensive visibility, serviceproviders and large enterprises can make informed decisionsabout whether they need to increase network capacity—orwhether they can delay infrastructure investments and lowercosts by recovering bandwidth on the existing network. Havingdeep visibility into network resources also helps serviceproviders gain the insight needed for performing traffic planning,making peering arrangements, conducting market-to-marketanalyses and analyzing routing patterns.

Multiple Methods of Threat Detectionand MitigationThe Peakflow SP platform is a comprehensive threatmanagement solution capable of detecting, mitigating andreporting on many types of network threats. The PeakflowSP solution has the ability to detect attacks based on thefollowing methods:

MisusePeakflow SP can be configured to detect high packet ratesfor specific types of network traffic, such as DNS, ICMP, IPfragments, IP null packets, TCP NULL, RST and SYN frames.Many DDoS attacks utilize these vectors to saturate or bringdown circuits, servers or other IP services.

Abnormal BehaviorBy profiling normal traffic levels, Peakflow SP can detectanomalous traffic shifts in the network. Consequently, serviceproviders can detect availability threats before they impact acustomer’s service.

Attack FingerprintsThe Arbor Security Engineering and Response Team (ASERT)conducts threat analysis on a global basis. One of theby-products of ASERT’s research is attack “fingerprints.” Thesefingerprints are the specific network behavioral patterns thatindividual attacks exhibit on the wire. Once these fingerprintsare loaded into the Peakflow SP product, they become activesecurity policies and can alert network operations and securitypersonnel to violations.

BGP HijackingSometimes referred to as “IP hijacking,” BGP hijacking is theillegitimate take-over of groups of IP addresses by corruptingInternet routing tables. BGP hijacking is sometimes used bymalicious users to obtain IP addresses for spamming orlaunching a DDoS attack.

Dark IP Space MonitoringPeakflow SP considers any traffic that it sees as destined forunallocated dark space as malicious traffic. This traffic includesIP addresses that might perform host and port scans. A signifi-cant increase in dark IP traffic could indicate new malware,worms or other threats propagating across the network.

The Best Defense: Anticipating and Mitigating Attacks

8


Once Peakflow SP detects an attack, the solution offers multiplemethods of mitigation, such as:

Access Control ListsPeakflow SP can generate an access control list (ACL) foran attack with unique characteristics that can be defined usingLayer 3-4 access controls. The ACL can then be manuallyentered into key routers to mitigate an attack.

Black-Hole RoutingPeakflow SP can easily be integrated into the BGP routingenvironment of any network. Peakflow SP can be configuredto conduct BGP black-hole routing or off-ramping for an attackthat must be dropped at the peering edge of the network. Alltraffic to the destination host or network is null-routed or sentto a next hop for inspection.

BGP Flow SpecBGP flow spec provides a way to populate traffic filtersthrough the BGP control plane. Peakflow SP can leveragerouters with flow spec capabilities by transferring records overa BGP session between Peakflow SP and the routing infra-structure. ISPs can use flow spec to create a firewall or accesscontrol type functionality to IP-reachable resources within thenetwork. This allows ISPs to surgically and dynamically providefilters to specific routers in the network through well-knowncontrol channels.

Third-Party MitigationPeakflow SP can be configured to off-ramp network trafficto a filtering device. Currently, Peakflow SP only supportsCisco Guard.

Fingerprint SharingOne of the most unique features in the Peakflow SP solutionis something called “fingerprint sharing.” Fingerprints are net-work behavioral patterns of known or emerging threats. Thesefingerprints are created by ASERT and distributed to PeakflowSP customers via a service called Active Threat Feed (ATF).Since DDoS attacks can traverse multiple service providernetworks, Arbor created and helps facilitate an inter-serviceprovider group called the Fingerprint Sharing Alliance (FSA).

The FSA allows ISPs to easily share fingerprint informationwith each other using their Peakflow SP products. The objectiveis to stop the proliferation of attacks as close to their sourceas possible. When a peer Autonomous System Number (ASN)shares an attack fingerprint, ISPs can either accept the finger-print or reject it. If ISPs accept the fingerprint, they can monitorany alerts that generate from that fingerprint. This will revealany matches to the network behavioral traffic patterns seenand reported by Peakflow SP. ISPs can then choose tomitigate that traffic using the various mitigation techniquesthat Peakflow SP makes available to them.

The Triple Threat to Triple-Play SuccessAlthough the deepest possible visibility into network resourceshas always been vital to service providers, it promises to becomeeven more so as ISPs migrate their networks to IP/MPLS-basedinfrastructures and execute on their triple-play voice/video/datastrategies. In fact, service providers face a major threat to theirability to deliver the triple play.

The above-mentioned mitigation techniques are quick, cost-effective ways to stop an attack and/or reduce the collateraldamage associated with an attack. However, in many casesthese techniques also complete the attack by taking the targetaddress(es) offline. The best way to stop an attack is to removeonly the attack traffic while allowing the legitimate traffic tocontinue to flow. This is often referred to as scrubbing orsurgical mitigation.

The Peakflow SP Threat Management System (Peakflow SPTMS) augments the network-wide situational awareness of thePeakflow SP platform with application-layer attack detectionand surgical mitigation.

The Peakflow SP TMS device is a critical and fully integratedcomponent of the Peakflow SP solution. Using deep packetinspection (DPI), Peakflow SP TMS provides application-layerinsight, alerting and surgical mitigation. It enables serviceproviders to protect their networks from the full spectrum ofsecurity threats, including botnets, DNS attacks, DDoS, worms,phishing, spam and spyware-all from a single console. Otherkey features of the Peakflow SP TMS device include:

Advanced Threat CountermeasuresPeakflow SP TMS can surgically mitigate threats using thefollowing application-layer countermeasures:

• White and Black Lists: Determine if specific hosts are allowed(i.e., white listed) or not allowed to pass through the PeakflowSP TMS device (i.e., put on a black list and scrubbed).

• Detailed Filters: Detect and block traffic that matchesuser-defined details, such as host/destination IP addresses,port numbers, TCP/UDP header flags, etc.

• HTTP Object and Rate Limiting: Detect and block trafficcoming from hosts that exceed user-defined thresholds forthe number of HTTP requests/second and HTTP objectsdownloaded/second.

• Malformed Packets and DNS Authentication: Detect andblock traffic that is coming from hosts sending malformedDNS requests, or when DNS authentication does not occurin a specified time period.

• Idle Connection Timeouts and TCP SYN Authentication:Detect and block TCP connections that remain idle for toolong, or cannot be authenticated by the Peakflow SP TMSdevice within a specified timeout.

• Zombie Detection: Detect and block traffic from hosts thatexceeds a user-defined threshold for packets-per-second(pps) or bits-per-second (bps).

• Baseline Enforcement: Detect and block traffic per managedobject (e.g., network interface) that exceeds the normalpacket rate or protocol distribution baseline as automaticallydetermined by the Peakflow SP system.

Packet SamplingThe Peakflow SP TMS device can conduct on-demand packetcapture and provide limited packet decode.

StackingUp to three Peakflow SP TMS 2700 devices can be stackedtogether, forming a single logical unit that increases the totalmitigation capacity to 8 Gbps.

By fusing flow-based network intelligence with deep packetprocessing, the Peakflow SP TMS device enhances thenetworkwide visibility of the Peakflow SP platform with moregranular, application-level visibility, providing ISPs withapplication-layer mitigation, security and reporting capabilities.

9


10


One of the current ISP trends is the rise

in capital expenditures (CapEx) and the

lowering of operation expenses (OpEx).

As capital is being spent on infrastructure

build-out and delivery of new services,

there is a keen eye on the bottom line.

Operating expenses and other costs are being kept to a minimum in order to ensure that these products and servicesare indeed profitable. Investments must solve multiple businessproblems and align with company strategies. In other words,purchased products must leverage as much of the ISP’s existing infrastructure and human resources as possible.

Peakflow SP is just such a strategic investment. As it is being used by network operations and security teams for cost-effective, pervasive network visibility, routing/peeringanalysis, traffic engineering and infrastructure security (e.g., DDoS detection), it can simultaneously be used by product managers to deliver new revenue-generating services, in particular, DDoS protection services. That’sbecause Peakflow SP has key features such as virtualizationcapabilities, templates and APIs that allow service providers to share and customize their services for multiple customers—thereby lowering the total cost of ownership and increasingprofits. In fact, many of the previously mentioned managedDDoS protection services utilize Peakflow SP and PeakflowSP TMS products.

Managed DDoS Protection Services

Peakflow SP

Service Provider Enterprise

Powered by

Welcome to Arbor Networks’ Peakflow SPPlease Authenticate

Username

Password

P O W E R E D B YLO G I N

Figure 2: Through a customer-facing, secure Web portal, enterprise customers can access reports and examine traffic patterns inside their service provider’s network.

Source: Arbor Networks, Inc.

Web Portal

11


With DDoS attacks and other network

security threats on the rise, ISPs and large

enterprises are more vulnerable than ever

before. The Peakflow SP solution provides

cost-effective and pervasive visibility into

the network.

As a complete threat management solution, it enables ISPsto protect their network infrastructures and IP services againstthe full spectrum of security threats, such as DDoS attacksand botnets. Simultaneously, Peakflow SP can serve as aplatform for service providers to offer new in-cloud managedDDoS protection services to their enterprise customers.

Links to related products and services:

• Peakflow SP Data Sheet

• Peakflow SP TMS Data Sheet

• ATLAS™ Global Threat Intelligence

• Arbor Security Blog

Conclusion

Corporate Headquarters

76 Blanchard RoadBurlington, MA 01803 USA

Toll Free USA +1 866 212 7267T +1 781 362 4300

Europe

T +44 207 127 8147

Asia Pacific

T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How NetworksGrow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks ofArbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/IPSERVICES/EN/0612

a new way to prevent botnet attack

Technology