Arbor White Paper

The Cloud Signaling

Coalition
ISPs and enterprises working together to block
the evolving DDoS threat
Arbor White Paper The Cloud Signaling Coalition

About Arbor Networks

Arbor Networks, Inc. is a leading provider of network
security and management solutions enterprise and service
provider networks, including the vast majority of the world’s
Internet service providers and many of the largest enterprise
networks in use today. Arbor’s proven network security and
management solutions help grow and protect customer
networks, businesses and brands. Through its unparalleled,
privileged relationships with worldwide service providers
and global network operators, Arbor provides unequalled
insight into and perspective on Internet security and traffic
trends via the ATLAS® Active Threat Level Analysis System.
Representing a unique collaborative effort with 230+
network operators across the globe, ATLAS enables the
sharing of real-time security, traffic and routing information
that informs numerous business decisions.

1
 Arbor White Paper The Cloud Signaling Coalition

Executive Summary

As distributed denial of service (DDoS) attacks escalate in size and complexity, their detection and
mitigation requires the collaboration of all stakeholders—from the customer premise to the service
provider cloud. The Cloud Signaling Coalition (CSC) from Arbor Networks® enables this collaboration.
It provides an infrastructure that facilitates local and upstream mitigation of edge-based, application-layer
DDoS attacks as well as cloud-based, volumetric DDoS attacks in an automated and real-time manner.
This white paper examines how cloud signaling works and how its faster, automated approach to DDoS
mitigation benefits both enterprise data centers and managed security service providers (MSSPs).

From the Edge to the Cloud: The Call for Comprehensive

DDoS Protection
The WikiLeaks controversy heightened
awareness of how DDoS attacks can
compromise the availability of critical
Web sites, applications and services.
For many large companies and institutions, Why Participate in the Cloud Signaling Coalition
the WikiLeaks-inspired DDoS attacks Managed Security Service Providers (MSSPs) benefits
and counterattacks have been a sobering • More comprehensive DDoS service offering from the edge
to the cloud
wake-up call. • Competitive differentiator that drives customers to existing
DDoS services
• Increased revenue

Enterprise data centers benefits

• Increased effectiveness of DDoS protection
• Faster DDoS identification and mitigation
• Reduced operational costs
• Brand/reputation preservation

1
Arbor White Paper The Cloud Signaling Coalition
On the same weekend that WikiLeaks released 250,000
classified diplomatic cables, its main site was knocked offline
by a major denial of service (DoS) attack. Days later, when
hosting companies and financial institutions cut ties with
the site, pro-WikiLeaks “hactivists” launched retaliatory
DDoS attacks.
The WikiLeaks attacks, while very high profile, only represent
a small percentage of the overall DDoS attack problem.
Arbor Networks’ annual Worldwide Infrastructure Security
Report shows that DDoS attacks are growing rapidly and
can vary widely in scale and sophistication. At the high end
of the spectrum, large volumetric attacks reaching sustained
peaks of 100 Gbps have been reported. These attacks exceed
the aggregate inbound bandwidth capacity of most Internet
service providers (ISPs), hosting providers, data center
operators, enterprises, application service providers (ASPs)
and government institutions that interconnect most of the
Internet’s content.
At the other end of the spectrum, application- and
service-layer DDoS attacks focus not on denying bandwidth
but on degrading the back-end computation, database and
distributed storage resources of Web-based services. For
example, service- or application-level attacks may cause
an application server to patiently wait for client data—thus
causing a processing bottleneck. Application-layer attacks
are the fastest-growing DDoS attack vector.
2
Detecting and mitigating the most damaging attacks is a
challenge that must be shared by network operators, hosting
providers and enterprises. The world’s leading carriers gener-
ally use specialized, high-speed mitigation infrastructure—and
sometimes the cooperation of other providers—to detect and
block attack traffic. Beyond ensuring that their providers have
these capabilities, enterprises must deploy intelligent DDoS
mitigation systems (IDMS) to protect critical applications
and services.
Until now, no comprehensive threat resolution mechanism
has existed that completely addresses application-layer
DDoS attacks at the edge and volumetric DDoS attacks in
the cloud. True, many data center operators have purchased
DDoS protection services from their ISP or MSSP. But they
lack a single dashboard to provide the visibility to stop targeted
application attacks as well as upstream volumetric threats that
can be distributed across multiple providers.
The Cloud Signaling Coalition (CSC) launched by Arbor
Networks offers the next evolutionary step in addressing
this complex challenge. The CSC provides an infrastructure
that facilitates both local and upstream DDoS mitigation in
an automated and real-time manner. It is an efficient and
integrated system coordinating DDoS mitigations from the
customer premise to the service provider cloud. Participation
in the CSC enables data center operators to reduce the time
and increase the effectiveness of DDoS protection—resulting
in major operational cost-savings and preserving their
company’s reputation.

The Growing and Evolving DDoS Threat
The DDoS threat landscape has been
dominated by volumetric attacks usually
generated by Internet bots or compromised
PCs that are grouped together in large-scale
botnets. This type of DDoS attack is
generally high bandwidth and originates
from a large number of geographically
distributed bots.
ISP Cleaning Center
ISP
Firewall
IDS/IPS
Attack Traffic
Legitimate Traffic
Arbor White Paper The Cloud Signaling Coalition
The size of these volumetric DDoS attacks continues to
increase year over year, and they remain a major threat to
enterprises and ISPs alike. In addition, a new type of DDoS
attack has emerged that threatens the business viability of
service provider customers. These new application-layer DDoS
(a.k.a., appDoS) attacks threaten a myriad of services ranging
from Web commerce and domain name system (DNS)
services to email and online banking.
An application-layer DDoS attack is often more challenging
to detect using traditional flow-based techniques in the cloud
because it usually does not produce a significantly higher
traffic rate. Yet it can still bring down the targeted services.
Today’s enterprises and IDC operators are very concerned
with the availability of the critical services running in their
data centers. So it is imperative that they take steps to reduce
their risk of damage from potential application-layer DDoS
attacks—and critical for cloud providers to mitigate such attacks
effectively in real time.
Large DDoS Attacks
Data Center
Firewall
Load Balancer
Target Applications
and Services
IDS/IPS
Application Layer Attacks
Multiple layers of defense are required for comprehensive DDoS protection
3
Arbor White Paper The Cloud Signaling Coalition

Why Existing Security Solutions Can’t Stop DDoS Attacks

Intrusion prevention systems (IPS), firewalls and other security products are essential
elements of a layered-defense strategy. However, they are designed to protect the network
perimeter from infiltrations and exploits and to be policy enforcement points in the security
portfolio of organizations.

Each of these solutions leverages stateful traffic inspection
technologies to enforce network policy and integrity. This
makes these devices susceptible to state resource exhaustion,
which results in dropped traffic, device lock-ups and potential
crashes. As a result, they have become a major vulnerability
point of the DDoS attack surface. The most scalable versions
of these devices can be overwhelmed by most moderate-size
DDoS events.
The application-layer DDoS threat amplifies the risk to data
center operators. That’s because IPS devices and firewalls
become more vulnerable to the increased state demands of
this emerging attack vector—making the devices themselves
more susceptible to the attacks.
Moreover, there is a distinct gap in the ability of existing
edge-based solutions to leverage the cloud’s growing DDoS
mitigation capacity, the service provider’s infrastructure or
the dedicated scrubbing capacity deployed upstream of the
victim’s infrastructure. Current solutions do not take advantage
of the distributed computing power available in the network
and cannot coordinate upstream resources to deflect an attack
before saturating the last mile. No existing solution enables
both DDoS mitigation at the edge and in the cloud.
Why Existing On-Premise Solutions Fail to Address
DDoS Security
Vulnerable to DDoS attacks
• Targets of DDoS attacks.
• First to be affected by large flood or connection attacks.
Complicated to use
• Require skilled security experts.
• Demand knowledge of attack types before attacks.
Failure to ensure availability
• Built to protect against known (versus emerging) threats.
• Designed to look for threats within single sessions, not
across sessions.
Protection limited to certain attacks
• Address only specific application threats.
• Do not handle attacks containing valid requests.
Deployed in wrong location
• Very close to servers.
• Too close to protect upstream router.

Incompatible with cloud DDoS protection systems

• Fail to interoperate with cloud DDoS prevention solutions.
• Increase time for response to DDoS.

4

Cloud Signaling : A Faster, Automated Approach
SM
to Comprehensive DDoS Mitigation
The Cloud Signaling Coalition enables
MSSPs to offer comprehensive DDoS
services, including the power to mitigate
the application-level DDoS component
at the data center edge and stop the
volumetric component in the ISP cloud.
After stopping the application-layer DDoS
attack using the customer premises
equipment (CPE)-based security product,
the data center engineer can send a cloud
signal to IDMS devices in the provider
cloud to stop the volumetric attack-thus
mitigating the upstream congestion.
Arbor White Paper The Cloud Signaling Coalition
The following scenario demonstrates the need for cloud sig-
naling from the customer perspective. A data center engineer
notices that critical services such as corporate sites, email and
DNS are no longer accessible. After a root cause analysis, the
company realizes that its servers are under a significant DDoS
attack. Because its services are down, the entire company—
along with its customers—is suddenly watching every move.
The data center engineer must work with customer support
centers from multiple upstream ISPs to coordinate a broad
DDoS mitigation response to stop the attack. Simultaneously,
the data center engineer must provide constant situational
updates internally to management teams and application
owners. To be effective, the engineer must also have the
right internal tools available in front of the firewalls to stop the
application-layer attack targeting the servers. All of this must
be done in a high-pressure, time-sensitive environment.
The same scenario would be quite different if the data center
engineer had the option of cloud signaling. Once he or she
discovered that the source of the problem is a DDoS attack,
the engineer could choose to mitigate the attack in the cloud
by triggering a cloud signal to IDMS infrastructure in the
provider network. The cloud signal would include details
about the attack to increase the effectiveness of the provider’s
response. This would take internal pressure off the engineer
from management and application owners. It would also allow
the engineer to communicate with the upstream cloud provider
to give more information about the attack and fine-tune the
cloud defense.
5
Arbor White Paper The Cloud Signaling Coalition

The Value of Cloud Signaling to the MSSP

The addition of cloud signaling to the Any MSSP can add cloud signaling as a service feature
by participating in the Cloud Signaling Coalition and using
MSSP portfolio strengthens the overall Arbor’s Peakflow® solution as the basis of an existing in-cloud
service offering. Participating MSSPs do not have to sell or
managed DDoS service offering. By
manage Arbor’s edge product, Pravail Availability Protection
allowing edge devices to signal cloud System (APS), to realize the value of cloud signaling. In the
future, third-party vendors will be encouraged to hook into
solutions, it provides a single dashboard Peakflow-based cloud DDoS service offerings through a
for all DDoS attacks. public, documented API.

Subscriber Network Subscriber Network Subscriber Network Subscriber Network

Peakflow SP-based Internet Peakflow SP-based Internet

DDoSService Service Provider DDoSService Service Provider

Congestion
Cloud Signal

Pravail APS Pravail APS

Firewall/IPS/WAF Firewall/IPS/WAF

Attack Traffic Attack Traffic

Legitimate Traffic Public Facing Servers Legitimate Traffic Public Facing Servers

Data Center Network Data Center Network

Operational Steps Operational Steps

1. Data Center under attack. 5. Attack mitigated by the Peakflow SP platform in the Cloud.
2. Attack immediately stopped by Arbor Pravail APS. 6. Data Center now protected.
3. Attack grows exceeding bandwidth.
4. Cloud signal launched upstream.

The Value of Cloud Signaling to the MSSP

6

How Cloud Signaling Works
Let’s assume an MSSP is offering a comprehensive DDoS service, including detection and
mitigation capabilities, to a data center customer. The service offering includes a cloud-based
DDoS component, as well as a CPE-based application-aware DDoS component.
The cloud-based DDoS service is based on Peakflow SP
solutions and the edge-based product is the Arbor Pravail
APS appliance. First, the MSSP must provision the cloud-
based service to accept cloud signals from the edge-based
Pravail appliance or software. The customer’s edge product
is provisioned into a Peakflow SP deployment that includes
Peakflow SP Threat Management System (“TMS”) appliances
using the Peakflow SP user interface. The MSSP can then
allow customers to either automatically start a TMS mitigation
in the cloud or manually issue an alert when they want
to initiate cloud signaling. In the manual option, the MSSP
can decide either to accept the customer cloud signal to start
a mitigation event or to create a mitigation event manually.
To ensure end-to-end cloud signaling, the edge-based device
must be configured with the MSSP’s Peakflow SP information,
including IP address and customer authentication information.
Auto-Mitigation via Cloud Signaling
When the Pravail appliance detects an attack, the operator
can manually signal the Peakflow SP cloud deployment about
the attack or preset Pravail to automatically send a cloud
signal upstream when a threshold is reached.
For the new mitigation in Peakflow SP, the solution applies
the mitigation template configuration that has been assigned
in the Pravail customer configuration in Peakflow SP. Then
it reports back to Pravail that a mitigation event has been
started. Pravail will display the mitigation status in the user
interface, showing an active mitigation is taking place. If
Peakflow SP already has a mitigation running for the resource
under attack, it will convey that to the Pravail appliance and
disregard the mitigation request.
Arbor White Paper The Cloud Signaling Coalition
Operator-Assisted Mitigation via Cloud Signaling
If the Peakflow SP solution is configured for manual
cloud-signaling mitigation for a Pravail APS customer, it will
create an alert when it receives a cloud signal from the Pravail
appliance and report back to the appliance that the request
was received. A Peakflow SP operator would be required to
initiate a mitigation based on the cloud signal.
An active heartbeat exists between the Peakflow SP cloud
deployment and the Pravail APS appliance on the customer
premise. This assures that both products are available and
operational at all times.
Real-Time Analysis and Reporting
The operators of both the cloud-based Peakflow SP solution
and the edge-based Pravail appliance can monitor the progress
of the mitigation in real time. Both products also provide
post-incident reports with details of the attack and the steps
taken to mitigate it.
Operational Considerations
The Pravail APS appliance is designed to maintain operational
and management capabilities when the network is under
attack. In many cases, it can detect the attack before the
stateful firewall is overwhelmed. Many availability attacks only
flood the downstream communications while upstream com-
munications are still available. However, it is very possible that
an attack could consume most of the bandwidth available to
the data center. To limit the impact of this, the cloud signaling
protocol makes use of state-less protocols for communication,
with persistent retries performed by the application layer if
congestion is noted.
The best practice to ensure cloud signaling integrity is to provi-
sion a separate out-of-band management network between the
data center and the cloud provider so that the cloud signaling
component remains available even when the entire data center
link is saturated in both directions or completely offline.
7
Arbor White Paper The Cloud Signaling Coalition

The Cloud Signaling Coalition: Why Join?

For MSSPs and other managed DDoS
providers, the Cloud Signaling Coalition can
be an immediate competitive differentiator
and can increase the revenues of existing
service offerings.
By joining the coalition, MSSPs can drive more data center
customers to their existing DDoS service. Many enterprise
customers are looking for ISPs to reduce the risk posed
by DDoS attacks. The Cloud Signaling Coalition provides a
means to accomplish this. As an added benefit, the MSSPs
can gain goodwill in the market by participating in a global
security initiative.

Conclusion
As the techniques to conduct DDoS attacks advance and motivations to launch them increase, data
center operators and service providers must find new ways to identify and mitigate evolving DDoS
threats. The Cloud Signaling Coalition empowers data center operators to quickly address both
high-bandwidth attacks and targeted application-layer attacks in an automated and simple manner,
while enabling MSSPs to significantly grow the revenue generated by their managed DDoS
protection offering.

For more information on the Coalition and how to participate, visit www.arbornetworks.com

8
Arbor White Paper The Cloud Signaling Coalition

9
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

Copyright © 2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks Grow, Pravail,
Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks: Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may
be the trademarks of their respective owners.

DS/CSC/EN/0412
 Arbor White Paper

“In the Cloud”

Managed Network
Security Services
Business Benefits for Service Providers
and Enterprises
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions for enterprise and
service provider networks, including the vast majority
of the world’s Internet service providers and many of the
largest enterprise networks in use today. Arbor’s proven
network security and management solutions help grow
and protect customer networks, businesses and brands.
Through its unparalleled, privileged relationships with
worldwide service providers and global network operators,
Arbor provides unequalled insight into and perspective on
Internet security and traffic trends via the ATLAS® Active
Threat Level Analysis System. Representing a unique
collaborative effort with 230+ network operators across
the globe, ATLAS enables the sharing of real-time security,
traffic and routing information that informs numerous
business decisions.

Next Stop on the Outsourcing Train: Network
Security Services
Today’s ultra-competitive business
environment presents an awkward
conundrum: the pursuit of opportunity
requires companies to take a wide
range of risks, but the damage caused
by miscalculating those risks can
be devastating.
Arbor White Paper: “In the Cloud” Managed Network Security Services
This concept can be vividly illustrated in the enterprise network
domain. To improve responsiveness and build stronger customer
relationships, most organizations have opened their networks
to direct access by remote employees, business partners,
customers and other third parties. The resulting porosity of the
network perimeter has created ample opportunity for security
threats to penetrate the innermost regions of the enterprise,
exposing vital IT resources to damage and destruction.
Furthermore, as companies have become more reliant on external
Internet connectivity for day-to-day business affairs, they are
susceptible to considerable financial loss when that connectivity
is reduced or lost. Distributed denial of service (DDoS) attacks or
worm outbreaks that affect network infrastructure for any length
of time can have potentially devastating results on the business.
To combat the ever-escalating danger posed by network security
threats, forward-thinking organizations have two options: invest
significantly in the people, processes and technology required
to maintain world-class, 24/7 network security operations, or
outsource the function to the growing number of highly effective
managed security services providers (MSSPs).
Network Outsourcing is the Sector’s
Fastest-Growing Segment
For an expanding range of IT functions, outsourcing has become
the strategic direction of choice, allowing companies to focus
more on business opportunity and less on risk. The phenomenal
popularity of outsourcing additionally stems from its potent
economic benefit: high levels of resource performance at
relatively low cost, while outsourcing operational risk, as well.
Overall, the IT outsourcing market is expected to see a 6.9
percent compound annual growth rate (CAGR) through 2009.1
The combined infrastructure outsourcing segments (data center,
desktop and network outsourcing) equal more than 80 percent
of total IT outsourcing spending. Network outsourcing remains
the fastest-growing segment, with an 8.5 percent CAGR
between 2004 and 2009. Dollar-wise, the network outsourcing
market has been projected to reach a value of $77 billion by
2008, according to Gartner analysts.2
1 “Gartner on Outsourcing, 2005,” Gartner, Lorrie Scardino, et al, December 14, 2005.
2 As cited in “Networks move out,” Infoconomy, January 20, 2005.
1
Arbor White Paper: “In the Cloud” Managed Network Security Services

Network security is a rapidly growing outsourcing category.

It comprises two major types of service provider offerings:

“In the cloud” Managed Services CPE-based Managed Services

Remotely managed and monitored security services that do not
depend on customer premises equipment (CPE); the “cloud”
represents the telecommunications providers’ network. In-the-
cloud services can replace or augment CPE devices to block
ports and protocols or to remove spam or viruses from network
traffic.3
In-the-cloud managed services can uniquely offer “clean
bandwidth” that has been purged of security threats such
as DDoS attacks, worms, viruses, botnets and other malware.
Yankee Group notes that “[the second fastest-growing
segment [of the managed security services market] is cloud-
based services, which will grow 37% in 2005 and is expected
to reach $560 million by 2008… Cloud-based services offer
the best protection against distributed denial of service (DoS)
attacks, which are also the most prevalent internet-originated
type of attack.”4
Security offerings for which the provider remotely manages
the customers’ on-premise equipment, located at the network’s
edge, and assumes responsibility for associated aspects of
network security.
Both network-based and edge-based security technologies
can co-exist. In fact, both are required to holistically
and comprehensively address security threats. The most
security-conscious organizations are supplementing their
existing edge- based security infrastructure with in-the-cloud
managed network security services, providing a strong
measure of extra protection.

Service Provider Networks

Researchers
Identify, Analyze and
Access Threats

Fingerprint ATF ATF

Sharing Behavioral Behavioral
Alliance Fingerprint Enterprise Network Fingerprint

Data Center

Branch Offices

Departments

Figure 1: Peakflow Deployment Core-to-Core Management Network Broadband Network Transit/Peering Edge Managed Security Services Internal Security
Peakflow X Peakflow SP Peakflow SP Peakflow SP Pravail NSI

3 Definition adapted from “‘In the Cloud’ Security Services Will Change Providers’
Landscape,” Kelly M. Kavanagh, et al, Gartner, March 14, 2005.
4 “Managed Security Service Market Continues Strong Growth in 2005,”
Yankee Group, Andy Efstathiou, June 29, 2005.

2
 Arbor White Paper: “In the Cloud” Managed Network Security Services

MSSPs Effectively Address Mushrooming
Security Challenges
As networks themselves grow larger and more complex,
outsourced security services from MSSPs are attractive for
several reasons.
• The costs of recuperating from computer crime continue
to escalate. For example, based on the findings of its 2005
annual computer security survey, the U.S. Federal Bureau
of Investigation estimated that computer crime cost U.S.
businesses $67 billion in 2005. Sixty-four percent of the
2,066 organizations surveyed suffered a financial loss from
computer security incidents over a 12-month period;
respondents spent nearly $12 million to deal with virus-type
incidents and $2.7 million on network intrusions.5
Peakflow® SP: The Industry’s Choice for
In-the-Cloud Managed Security
Arbor Networks presents a unique approach to helping service
providers maximize the business value they deliver to enterprise
customers with the Peakflow platform, a market-proven solution
for providing security to the core and performance to the edge.
Peakflow SP is the industry’s premier choice for in-the-cloud
managed security services, deployed in the backbones of every
major service provider and multi-service operator (MSO) network
around the globe. This whitepaper discusses the compelling
business benefits that enterprises and service providers can
derive from managed security services and presents the Arbor
Networks approach.

• Security threats are non-stop and only increase in frequency

and malice. Data centers in large global enterprises can
receive tens of thousands of network security alarms a day,
of which a rising number pose genuine threats.

• Some threats can only be addressed in-the-cloud by providers. Peakflow SP Appliance

These include DDoS attacks and botnets, which flood up stream
links to enterprises. As a result, they can only be resolved
in-the-cloud and not at the enterprise edge. Because service
providers own and manage the network infrastructure, they
are uniquely positioned to offer in-the-cloud security services.
Yankee Group positions the value of these services:

Highly distributed enterprises with mobile workforces

and enterprises with very high levels of internet-based
customer or partner interactions are the ones that find
these [in-the-cloud] services of the highest value.
Enterprises are looking for security expertise combined
with SOC/NOC delivery platforms. Cloud-based security
services can reduce the number of low-level attacks
and enable an enterprise to improve the performance
of web-based commerce while focusing its efforts on
mitigating more serious security threats.6

• MSSPs provide far greater capabilities, more efficiently,

than a single enterprise can. As previously noted, the benefits
of network outsourcing are well-established-lower costs,
reduced complexity in the customer enterprise, technology
scalability, broad capabilities and risk off-load-and certainly
apply to in-the-cloud managed security services.

5 “Computer crime costs $67 billion, FBI Says,” Joris Evers, CNET News.com,
January 19, 2006.
6 “Enterprises Must Consider Several Issues When Evaluating Cloud-Based
Security Services,” Yankee Group, Andy Efstathiou, July 15, 2005.

3
Arbor White Paper: “In the Cloud” Managed Network Security Services
The Business Case for In-the-Cloud Managed
Network Security
Outsourced network security services are already a popular choice for enterprises around
the world. According to the 2005 Global Security Survey conducted by CXO Media and
PricewaterhouseCoopers, participating enterprises are already outsourcing key activities.
These key activities include:
• Firewall monitoring: 32%
• Vulnerability scanning: 26%
• Network firewalls: 24%
• Intrusion detection: 18%
• Network security monitoring: 16%
• Security event monitoring: 15%
• Rogue technology detection: 7%
Clearly, there is significant opportunity for enterprises to reap
the benefits of outsourced detection of rogue technology
(worms, viruses, botnets, etc.), which in-the-cloud services
from MSSPs essentially provide.
Top MSSPs Choose Peakflow for In-the-Cloud
Network Security
As more and more enterprises transition from in-house monitoring
and management of network-based threats, they will find many
service providers delivering network-based managed service
offerings built on Peakflow SP. These service offerings provide
fully scalable, proactive detection and mitigation capabilities to
respond to attacks before they impact enterprise networks.
4
The Benefits of In-the-Cloud Managed
Security Services
When enterprises choose in-the-cloud managed security
services from providers such as those listed above, they can
expect to receive numerous significant benefits, such as:
• Cost savings in many areas of operational and capital
expenditure. This encompasses labor, equipment and software,
facilities and other infrastructure costs. As the number and
complexity of network threats grow, all of these costs will
continue to grow at a rapid pace, further burdening enterprise
IT departments. By leveraging the resources available from
MSSP providers, enterprises are able to concentrate their
valuable resources on core competencies.
• Improved performance of network resources, as in-the-cloud
managed services deliver greater network reliability and
integrity. As a result, QoS improves, and enterprises can more
consistently meet internal service level agreements (SLAs), a
de facto metric used in assessing IT departments’ performance.
• Higher levels of network security, which, in addition to
enabling better network performance, also help ensure
greater confidentiality of all enterprise data. This builds a
greater sense of security and trust among all users.
• Managed DoS ServicesExpertise in a complex and constantly
changing domain. MSSPs have the critical mass of resources
to invest in in-the-cloud security services, focusing large
amounts of human and monetary capital to develop
world-class offerings. Through this process, providers gain
extraordinary levels of security knowledge, leveraging
cumulative learning to enhance the economies of scale
gained from serving many enterprise customers.
 Arbor White Paper: “In the Cloud” Managed Network Security Services

Service Provider Enterprise

Peakflow SP

Powered by

Welcome to Arbor Networks’ Peakflow SP

Please Authenticate

Username
Password Figure 2: Through a customer-facing, secure Web portal,
LO G I N
POWERED BY
enterprise customers can access reports and examine
traffic patterns inside their service provider’s network.

Finally, the growing popularity of outsourced network security “Powered by Peakflow” MSSPs
services has helped the MSSP industry as a whole to mature and their services include:
quickly. Providers have addressed issues that may be cause
• AT&T: Internet Protect
for concern. They have:
• Belgacom: Clean Internet Service
• Overcome a history of service delivery failures at certain
• Broadwing: DDoS Mitigation Service
high-profile security service providers
• Cable & Wireless: DDoS Protection
• Dealt with today’s regulatory environment, which requires • COLT: IP Guardian
greater levels of due diligence
• Hydro One: DDoS Service
• Built customer confidence in their service delivery to assuage • Verizon Business: DoS Defense Detection and Mitigation
concerns over loss of control • Rackspace: PrevenTier
• Used the proper processes and technology to ensure the • SAVVIS: Network-Based DDoS Mitigation
utmost confidentiality, as customers routinely send proprietary • TELUS: Managed DoS Services
network information outside the enterprise
In-the-cloud managed security services, powered by Arbor
Peakflow, are an extremely attractive option to enterprises Power In the Cloud
of all sizes, in all industries. Large Global Bank
A major global bank initially sought to internally
deploy and manage a security solution to address
infrastructure threats.

After talking to solution providers and managed security

services providers, they chose to purchase an in-the-cloud
service from Cable & Wireless, an MSSP “Powered by
Peakflow,” rather than building in-house solutions, because
the managed service was more cost-effective and entailed
less operational risk.

5
Arbor White Paper: “In the Cloud” Managed Network Security Services

Peakflow: MSSPs’ Platform of Choice

for In-the-Cloud Security

To customers considering using in-the-cloud managed security services, “Powered by

Peakflow” has become the industry’s gold standard and a major factor in choosing
a provider. The Peakflow platform has achieved this status by delivering core-to-edge
protection and performance that addresses the complementary needs of enterprises
and service providers, through two products: Pravail NSI and Peakflow SP.

Pravail NSI Peakflow SP

Built to meet the demands of the largest enterprise networks,
Pravail NSI allows organizations to address a wide range of
internal security threats while maintaining business continuity.
Using Relational Modeling-a breakthrough in network modeling
technology—Pravail NSI constructs a system-wide view of
the entire network, auto-learning host behaviors to determine
who talks to whom, and how. Using this data, Pravail NSI
provides unparalleled visibility into what is happening inside
the enterprise network and generates actionable security
information, allowing operators to:
• Stop data theft, malware, worms and other zero-day threats
• Segment and harden critical internal resources against
future threats
• Simplify compliance objectives
• Identify emerging threats such as malware, spyware, phishing/
pharming, botnets and trojans as they appear on the network.
The industry’s most popular choice for ensuring network
availability, is used by service providers worldwide to ensure
the security and performance of their own networks and to
deliver in-the-cloud managed security services. Peakflow SP
provides network-wide infrastructure security, measurement
and traffic-monitoring. It comprises three components that
together offer a comprehensive solution, scaling with a
service provider’s network and its customer base.
• Infrastructure Security proactively detects and mitigates
network-wide anomalies
• Traffic and Routing models traffic from across the entire
network, enabling operators to make informed business
decisions about routing, transit, partners and customers
• Managed Services provides a scalable and cost-effective
means for service providers to offer DDoS prevention and
other in-the-cloud security services to their customers.

Service Providers Enterprises

Peakflow SP
• Secure the core infrastructure
• Reduce the costs of operating
their network
• Roll-out revenue-generating
in the cloud service offerings
Peakflow X
Managed • Secure the internal network
Services
• Reduce the risk of information theft
• Minimize network outage due
to worms and insider attacks

Figure 3: Peakflow Enabled End-to-End Security,

In-the-cloud managed security services present
an intersection of functionality from Peakflow SP
and Peakflow X. Active Threat Feed

6

Arbor Networks leverages its strong relationships with
many of the world’s service providers to deliver three unique
supplemental services that enhance the value of MSSPs’
in-the-cloud offerings.
Arbor Security Response Team (ASERT)
ASERT is a security monitoring service staffed with some
of the world’s most talented network security professionals.
ASERT extracts information from honeypots”-decoy network
resources that are accessed only by hackers targeting a
network-from Arbor’s extensive network of service providers.
ASERT augments this information with data from other
publicly available sources to provide network operators with
“fingerprints” (detailed traffic signatures) of emerging threats.
ASERT enhances in-house network monitoring efforts by
validating security threats and often delivering first notification
of them. This helps network staff separate the relatively few
genuine threats from the tens of thousands of false alarms
large enterprises receive every day.
Fingerprint Sharing Alliance (FSA)
FSA enables service providers to share security information
among themselves in the form of fingerprints. The first
and only global organization of its kind, FSA has more than
two dozen members, including major service providers in
both hemispheres.
Managed Security Services enabled by Arbor Peakflow SP
Arbor White Paper: “In the Cloud” Managed Network Security Services
Active Threat Feed (ATF)
ATF takes the concept of the FSA and extends it to
the enterprise realm. Using RSS technology, Arbor’s ATF
automatically provides subscribing enterprises with early
warning about threats facing their networks. Armed with
the fingerprint information, security managers can trace
the source of the attack, analyze its form and mitigate its
impact. This value-added service generates a wide range
of reports, such as:
• Worm-infected hosts
• Malware-infected hosts
• Phishing attempts
• Members of botnets
• Peer-to-peer (P2P) participants
• Skype users
• Instant messaging (IM) participants
Reports based on fingerprint information, in turn, can be used
to solve additional IT infrastructure performance issues, such
as application performance, based on application flows across
the extended enterprise/service provider network.
7
Arbor White Paper: “In the Cloud” Managed Network Security Services
Peakflow SP: The Platform for a Wealth
of Superior Security Services
Peakflow is the foundation for a wide range of in-the-cloud
security services.
• Network-based DDoS detection: MSSPs that are “Powered
by Peakflow” can use it to detect distributed denial of service
attacks before they strike enterprise customers’ networks.
Anomaly reports can be made available through the MSSPs’
customer portals, and customers can be proactively notified
of potential threats.
• Network-based DDoS mitigation: Using DDoS detection
information, providers can diffuse or eliminate DDoS threats
before they do significant damage.
• Intelligent Traffic Reporting: Through the customer portal,
enterprises can use reports on customer breakdowns, top
talkers and business-centric and network-wide activity to
better understand and manage their networks.
• Botnet Discovery: Customers can be alerted if any of
their network hosts have been conscripted to participate
in malicious botnet activities.
• VoIP Reporting: MSSPs can give customers a network-wide
perspective on their VoIP and IP video services, helping to
enhance and maintain internal service levels.
8
• Multi-provider DDoS Detection: Peakflow SP allows a
designated MSSP to gain a single view of anomalies across
service providers, integrating multiple portal views into a
single report. Specific providers can use this information
to deliver remediation.
• Managed VPN Security: MSSPs can use Peakflow to
detect insider misuse for managed virtual private network
(VPN) customers and help ensure regulatory compliance.
They can also provide automatic threat response services.
• Worm Detection and Reporting: Peakflow SP allows
MSSPs to pinpoint network worms in-the-cloud and at the
enterprise perimeter, tracking them down on a per-customer
basis. Customers can download worm signatures as necessary,
while MSSPs can similarly facilitate customized cleanup
using infected host lists.
Power In the Cloud
An American Stock Exchange
An American Stock Exchange “Powered by Peakflow”
MSSP SAVVIS engaged in a large, comprehensive
managed network agreement with a major American
stock exchange in which in-the-cloud security services
were bundled into the contract.
Leveraging Peakflow SP, SAVVIS helps ensure the performance
and uptime of this stock exchange’s mission-critical network with
internal security and DDoS detection/remediation capabilities.
Many MSSPs offer in-the-cloud security services that proactively
deliver “clean bandwidth” as well as CPE-based services that
alleviate the mounting management burden they carry for
firewalls and other perimeter security devices.
 Arbor White Paper: “In the Cloud” Managed Network Security Services

Conclusion
From its origins in relatively peripheral operations such as data center management, outsourcing
has arguably become the enterprise IT industry’s most profound trend of the last decade,
moving up the “food chain” to highly mission-critical activities such as network security.

Outsourcing, particularly the outsourcing of high-risk network
security monitoring and threat mitigation, offers enterprises a
solid roster of business benefits:
• Cost savings in many areas of operational and
capital expenditure
• Improved performance of network resources, as in-the-cloud
managed network solutions deliver greater network reliability
and integrity
• Higher levels of network security, as significantly more
resources are dedicated to an enterprise’s needs
• Expertise in a complex and constantly changing domain
Peakflow is the platform of choice for MSSPs and their
customers who want to ensure security to the core and
performance to the edge. “Powered by Peakflow” managed
security offerings are among the industry’s most powerful
and present a strong complement to the internal network
security capabilities delivered by Pravail NSI. Peakflow
delivers market-leading performance in a wide range of
security services, from network-based DDoS detection and
mitigation to worm detection and reporting. When “Powered
by Peakflow,” customers can outsource not only their network
security activities, but associated risk and anxiety as well,
creating a true silver lining in the stormy world of enterprise
network management.

For more information about Peakflow SP

solutions and “Powered by Peakflow”
MSSPs, please visit www.arbornetworks.com.

9
Arbor White Paper: “In the Cloud” Managed Network Security Services
Arbor White Paper: “In the Cloud” Managed Network Security Services
Arbor White Paper: “In the Cloud” Managed Network Security Services
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/CLOUD/EN/0612
 Arbor White Paper

The Business Value

of DDoS Protection
How to Calculate the ROI from
a DDoS Defense Solution
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions for enterprise and
service provider networks, including the vast majority
of the world’s Internet service providers and many of the
largest enterprise networks in use today. Arbor’s proven
network security and management solutions help grow
and protect customer networks, businesses and brands.
Through its unparalleled, privileged relationships with
worldwide service providers and global network operators,
Arbor provides unequalled insight into and perspective on
Internet security and traffic trends via the ATLAS® Active
Threat Level Analysis System. Representing a unique
collaborative effort with 230+ network operators across
the globe, ATLAS enables the sharing of real-time security,
traffic and routing information that informs numerous
business decisions.

Understanding the Risk of Attack
Today, more and more companies are outsourcing their online operations such as Web
sites, ecommerce, email and domain name system (DNS) to focus on core business
activities and lower costs.
As a result, hosting providers are experiencing double-digit
growth as they meet this mounting market demand. Service-
level commitments and customer expectations are also on the
rise due to the business-critical nature of many hosting serv-
ices. In particular, the highest-value customers have the lowest
tolerance for outages.
A continuing and growing threat to service availability is
distributed denial of service (DDoS) attacks. In fact, most hosting
providers experience DDoS attacks on a regular basis.
An effective DDoS defense system can safeguard business
operations against DDoS-related outages, but determining
the return on investment (ROI) of purchasing and deploying
such a system can be challenging. One needs to quantify both
the risks of DDoS attacks and their financial consequences.
This paper provides a simple, step-by-step approach for
evaluating whether an investment in a DDoS defense system
is financially justified.
Using industry averages for attack frequency and outage costs,
the results show that investing in an effective DDoS protection
solution, such as the Peakflow® SP Threat Management
System (“TMS”), provides a strong positive ROI, reduces customer
churn and lowers financial risk. Arbor Networks also provides
an ROI calculator that enables hosting providers to apply their
own data to compute ROI and determine the results of different
what-if scenarios.
Average Number of DDoS Attacks per Month
50%
Survey Respondents
40%
30%
20%
10%
0%
Figure 1: Average Number of DDoS Attacks per Month
Source: Arbor Networks’ Annual Worldwide Infrastructure Security Report, 2010
Arbor White Paper: The Business Value of DDoS Protection
Few studies focus on the probability that a business will
experience a DDoS attack of significant impact. However,
survey information from Forrester Research and Arbor
Networks provides insight into the risk of such an attack.
Forrester Research conducted a survey of 400 companies
with significant online operations.1 The survey’s objective was
to gather basic information on the DDoS threat to these
businesses, which included online financial services, media,
news, political sites, gaming, entertainment, Web hosting and
ecommerce. Among the results, over 70% reported at least one
DDoS attack in the previous 12-month period. Attack durations
were highly variable, but the most common duration for attacks
that had operational and business impact was two to six hours.
Arbor Networks’ annual Worldwide Infrastructure Security
Report 2 is an excellent source of more detailed information on
the frequency and nature of DDoS attacks on Internet service
providers (ISPs) and Internet data centers (IDCs). Based on
the responses from 111 ISPs and IDCs, the survey data shows
that these organizations are experiencing a high frequency
of DDoS attacks—equating to multiple attacks per month
(see Figure 1).
None
1-10
10-20
20-50
50-100
100-500
500+
1 Worldwide Infrastructure Security Report, Arbor Networks, January 2010
2 The Trends and Changing Landscape of DDoS Threats and Protection,
Forrester Consulting, July 2009.
1
Arbor White Paper: The Business Value of DDoS Protection

Impact From IDC DDoS Attacks

90% Operational Expense
80%
Customer Churn
Survey Respondents

70%
Revenue Loss
60%
Employee Turnover
50%
Other
40%

30%

20%

10%

0%

Figure 2: Impact from IDC DDoS Attacks

Source: Arbor Networks’ Annual Worldwide Infrastructure Security Report, 2010

McAfee 3 also surveyed IT and security executives from

seven industry sectors and found the frequency and impact
of DDoS attacks to be similar to those Arbor reported. In terms
of the impact of DDoS attacks, 84% of these ISPs and IDCs
reported incurring operational expenses and 43% reported
customer churn and revenue loss (see Figure 2).

Hosting providers in particular often have a higher risk of DDoS

attack than stand-alone online businesses because hosting
providers in effect aggregate the risk of all their customers.
An attack on one customer can affect others and potentially
the entire hosting operation because of the heavy reliance
on shared infrastructure. Risk is also a function of the type
of customers being hosted. Sites that engage in controversial
activity, as well as large, visible businesses, are more likely
Figure 3: Advertisement for Botnet Services4
targets of DDoS than small business Web sites. However,
just one small customer can attract a massive DDoS response
with a single controversial act.

The capacity to unleash a large DDoS attack is available to

anyone simply by renting a botnet. Figure 3 shows a typical
advertisement for botnet services. Table 1 (see page 3) shows
the results of a survey on botnet rental pricing. In short, the
resources needed to carry out large-scale DDoS attacks are
cheap and readily available.

3 In the Crossfire: Critical Infrastructure in the Age of Cyber War, Authors:

Stewart Baker, distinguished visiting fellow at CSIS and partner at Steptoe &
Johnson; Shaun Waterman, writer and researcher, CSIS; George Ivanov,
researcher, CSIS; McAfee, 2010.

2
 Arbor White Paper: The Business Value of DDoS Protection

Botnets are not the only source of DDoS attacks. Social media Price Duration Hours Bandwidth Mbps
sites can coordinate large numbers of willing users to carry
$20 2 45
out DDoS attacks as illustrated by the WikiLeaks-inspired
attacks in late 2010. Coordinated through Twitter, large $30 6 45
numbers of end users downloaded a simple attack tool and $50 12 45
directed attacks at numerous companies deemed complicit
$70 24 45
in interfering with what the users viewed as the legitimate
activities of WikiLeaks. These attacks successfully targeted $75 24 100
high-profile companies, including PayPal, MasterCard and Visa. $100 24 1,000
The attacks went both ways as well. The provider hosting $250 24 1,000
WikiLeaks removed the site from its infrastructure because
$400 5 5,000
DDoS attacks directed at WikiLeaks were impacting service
to all its customers, which in turn might have elicited DDoS $600 168 1,000
attacks from WikiLeaks’ defenders. This example illustrates $900 24 4,750
the reality that hosting providers bear the aggregated risk
$1,000 24 4,750
of their customers.
$5,500 168 4,750
The overall impact of a DDoS attack is a function of the time $6,000 168 4,750
it takes to detect the attack, the time needed to mitigate it
and the extent of service degradation both before and after Table 1: Botnet Rental Pricing 5
mitigation. For many IDC operators, detection consists of simply
waiting for customers to complain, and mitigation consists of
dropping all traffic destined to the resource under attack. This
form of mitigation may protect the IDC infrastructure and other Modeling
E the Financial Impact of Attacks
customers, but it completes the attack on the particular target 2.0
of the DDoS event. If the target is a high-value customer, the
Expected Number of Attacks Over Three Years

1.8
hosting provider will likely suffer financial loss.
1.6

Survey data from Arbor, 2 McAfee 3 and Forrester1 show IDCs 1.4

are experiencing multiple DDoS attacks per month. Not all 1.2

attacks result in significant outages due to the severity of the 1.0

attacks themselves and the effectiveness of the anti-DDoS 0.8
measures deployed at the IDC. 0.6

0.4
Using the survey data, a conservative estimate of the number
0.2
of high-impact DDoS events (events resulting in outages of
at least 2 hours) is shown in Figure 4. The figure shows the 0.0
2-6 Hours 6 -12 Hours 12- 24 Hours 24+ Hours
expected number of outages (ranging from 2 hours to over
Outage Duration
24 hours) that a typical IDC will experience over a 3-year
Figure 4: Modeling the Financial Impact of Attacks
period. A period of 3 years is used because ROI is generally
based on a 3-year time frame.

4 Modeling the Economic Incentives of DDoS Attacks: Femtocell Case Study,

Vicente Segura and Javier Lahuerta, Department of Network and Services
Security, Telefonica I+D.
5 Modeling the Economic Incentives of DDoS Attacks: Femtocell Case Study,
Vicente Segura and Javier Lahuerta, Department of Network and Services
Security, Telefonica I+D.

3
Arbor White Paper: The Business Value of DDoS Protection

Modeling the Financial Impact of Attacks

The cost of outages due to DDoS attacks The elements contributing to the overall cost of DDoS consist
of the following:
is comprised of operational costs and
• Personnel time spent addressing and recovering from
revenue impacts. Lower-impact/duration the outage.
attacks may only result in added • Incremental help desk expenses.

operational costs. High-impact attacks • Customer credits and refunds.

• Cost of customer defections and nonrenewal of contracts.
will also negatively affect revenues due
• Degradation of reputation resulting in higher customer
to customer defections, SLA credits acquisition costs and a lower rate of business growth.
and reputation damage. The threshold of DDoS attack likely to result in some or all of
these negative consequences varies according to the nature of
the business. A good starting point for a hosting provider is to
estimate what duration and scope of DDoS attack will have a
significant business impact (e.g., customer refunds and credits,
customer defections and nonrenewals). Depending on the type
of customers served by the provider, the threshold may be an
outage ranging from two to six hours to one lasting as long as
24 hours. Lower-level attacks, flash crowds and unanticipated
demand can consume engineering and help desk resources
but may or may not result in customer defections, credits and
reputation loss.

Modeling all of these costs is a good way to determine the

benefits of DDoS protection since an effective DDoS protection
solution typically reduces these costs by 90% or more. Table 2
provides an example of how organizations can model the total
cost per DDoS attack. The example is a hosting provider with
$20M in annual sales and an industry-average risk of attack.

Attack Operations Help Desk Lost Current Revenue Loss of Future Business Total Cost
Duration (# hours x # staff (# hours (Enterprise revenue per hour (Present value of 1 year per Attack
(Hours) x cost/person/hour) x calls/hour x outage duration x % lost growth)
x cost/call) business loss)

2-6 4 x 4 x $75 4 x 25 x $20 $50m/8760 x 4 0% x $50m x 2.49 $ 26,031

6-12 9 x 4 x $75 9 x 25 x $20 $50m/8760 x 9 0% x $50m x 2.49 $ 58,570
12-24 18 x 4 x $75 18 x 25 x $20 $50m/8760 x 18 .25% x $50m x 2.49 $ 428,390
24+ 30 x 4 x $75 30 x 25 x $20 $50m/8760 x 30 .5% x $50m x 2.49 $ 817,773

Table 2: Modeling Cost of Outages Due to DDoS Attacks

4
 Arbor White Paper: The Business Value of DDoS Protection

Attack Duration Expected Number of Attacks Cost per Attack Expected Cost Over 3 Years
(Hours) Over 3 Years
2-6 1.9 $ 26,031 $ 49,459
6-12 1.4 $ 58,570 $ 81,998
12-24 0.9 $ 428,390 $ 385,551
24+ 0.3 $ 817,773 $ 245,320
TOTAL EXPECTED COST $ 762,327

Table 3: Three Year Expected Cost of DDoS Attacks

Combining the DDoS attack risk profile with attack cost estimates
produces the expected cost over three years, as shown in Table 3.
This cost can now be compared to the alternative of investing
in a high-quality DDoS defense system, which can be expected
to eliminate the extraordinary expenses of dealing with DDoS
attacks through traditional methods (e.g., black-holing customer
traffic, removing domains, etc.). The cost of an effective DDoS
protection system is generally a function of mitigation capacity—
that is, how much attack traffic the device can handle. This
example assumes that a system capable of mitigating 2.5
Gbps is sufficient and can be purchased for $100K. Annual
ongoing ownership costs (e.g., support, maintenance, internal
operations, etc.) are about 25% of the purchase price.
Using the data above, Table 4 shows the final results of the
three-year net present value (NPV) and ROI of the investment
(not including residual value of the equipment).
Choice of the DDoS protection solution matters. As explained
in Arbor Networks’ white paper entitled The Growing Need
for Intelligent DDoS Mitigation Systems, traditional perimeter
security products, such as firewalls and intrusion prevention
systems (IPS), are unable to address the DDoS threat to
availability. To realize the projected benefits of deploying a
DDoS defense solution, due diligence is needed on the part
of the technical staff when selecting a solution.
ROI

There is also a positive revenue component to investing in DDoS Initial Investment $100,000
protection. DDoS was ranked the number-one network security Year 1 Return—Ownership Costs $229,109
issue in a survey of 400 IT professionals by Forrester Research.
Year 2 Return—Ownership Costs $229,109
Therefore, as high-value customers make decisions on obtaining
data center hosting services, the ability of a hosting provider to Year 3 Return—Ownership Costs $229,109
address this key concern will influence the purchase decision. NPV (@10% Discount Rate) $427,054
ROI 587%
The result is, other factors being equal, a hosting provider that
includes DDoS protection as part of its standard service will Payback 5.2 Months
likely attract more new business than a hosting provider that
does not. This incremental revenue should be included in the Table 4: NPV and ROI of a DDoS Defense Solution

ROI calculation. A conservative estimate is .25% incremental

growth over what would be achieved without DDoS protection in
the standard offering. For example, a hosting provider expecting
12% growth would increase forecasted growth to 12.25%. Thus, a
hosting provider with $20M in annual sales would derive $50K in
incremental revenue per year as a result of being able to protect
customers from outages due to DDoS. The three-year present
value (PV) at 10% discount rate of the incremental revenue
for just one year of additional growth is approximately $124K.

5
Arbor White Paper: The Business Value of DDoS Protection

Using the Model

A hosting provider using this model to project the ROI of a DDoS defense solution must
of course adjust the inputs based on its own experience of DDoS attacks, operational
costs and business impact. The accuracy of the estimate depends, in part, on how well
the provider understands the effects of prolonged outages and damaged reputation on
customer buying behavior.

The highest-paying and highest-value customers are most
affected by outages and service degradation, so it is important
to be sensitive to downtime costs from a customer perspective.
Data from the Symantec 2011 SMB Disaster Preparedness
Survey 6 shows the median cost of downtime for small-to-
medium businesses is $12,500 per day. Thus, the aggregate
cost of a major outage affecting 100 customers is approximately
$1.25M and could well result in significant defections as
customers rightly conclude that availability is critical to their
bottom line.
Lastly, in addition to modeling the best estimate of ROI, it is
also useful to model the upside and downside risks of making
the investment. Figure 6 shows the break-even point and
financial sensitivity for protecting against the risk of major
attacks that result in extended outages (24+ hours).
This is a cost-only view and does not include any incremental
revenue growth from offering DDoS protection. Figure 5
graphs the three-year cost of extended outages with respect
to frequency of attack. The financial break-even point in this
case is a frequency of one major outage every six to seven
years. Also significant is the difference between the upside
and downside risk. The graph shows that the cost of not being
able to effectively address DDoS attacks rises very steeply as
frequency goes up; thus, the cost exposure of underestimating
attack frequency is very high. In contrast, if the actual frequency
is less than expected, the cost exposure of having overinvested
in DDoS protection is gradual and bounded by the amount
invested. Finally, the graph illustrates how the investment in
DDoS protection replaces a highly uncertain and steep cost
curve with a flat, predictable and relatively low cost curve. This is
clearly a more desirable operating model for financial managers.

Three Year Cost of Major Attacks Causing Outages of 24 Hours or More

$3,000,000

$2,500,000
Three Year Cost

$2,000,000

$1,500,000

$1,000,000

$500,000

$0
Never 1 Event/ 1 Event/ 1 Event/ 1 Event/ 1 Event/ 1 Event/
20 Years 15 Years 10 Years 5 Years 3 Years Year

Figure 5: Three Year Cost of Major Attacks Causing Outages of 24 Hours or More

6 Symantec 2011 SMB Disaster Preparedness Survey, Symantec, 2011.

6
 Arbor White Paper: The Business Value of DDoS Protection

ROI Calculator for DDoS Protection

The method shown previously is relatively
easy to apply to a hosting operation. Arbor
Networks also provides an ROI calculator
based on this method.
The calculator provides default values that make it easy to get
an initial estimate and also lets users enter values that more
accurately reflect the realities of their own operations. The
user can try plugging in different values to test the sensitivity
of the results to changes in various inputs. The user is asked
to provide the following information:

Required Inputs Comments

Average number of business-impacting DDoS events per year (2-6 hours) Industry average is .8 per year
Man-hours of network engineering time per hour of DDoS attack or outage Default of 4 man-hours provided—appropriate for small- to mid-sized
hosting data centers
Network engineering personnel cost per hour Average fully loaded cost is $75 per hour
Number of help desk calls per hour of outage
Cost per help desk call Industry average for Tier 1 help desk is $20 per call
Average $ value of SLA credit per customer if credits are issued Typically 1 month of billing per credit
Number of customer credits issued per 8 hours of outage
Number of lost customers per 8 hours of outage (non-renewals)
Annual revenue per customer
Average customer retention time (years)
Percent business growth impact (negative) after serious outage Suggested value is .25% (reputational damage)
(18 hour plus)
Percent business growth impact (positive) if DDoS protection is added Suggested value is .25%
to standard offering
Annual company revenue
Bandwidth requiring DDoS protection (Gbps)

Table 5: ROI Calculator Required Inputs and Default Values

7
Arbor White Paper: The Business Value of DDoS Protection
Conclusion
Today’s hosting provider can increase
revenue by capitalizing on the growing
demand of business customers for hosted
online operations—provided, of course, that
it can safeguard these critical operations
against DDoS-related outages.
8
To minimize such outages and optimize the availability of
their hosting services, providers are turning to DDoS defense
solutions such as the Peakflow SP Threat Management
System. Faced with budget constraints, however, they must
first evaluate whether an investment in a DDoS protection
solution is financially justified. Using the simple, step-by-step
approach described in this paper, providers can model the
financial impact of a DDoS attack on their operations and
calculate the ROI of an effective DDoS defense solution.
Visit www.arbornetworks.com for more information.
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/BVDDoSP/EN/0612
 Arbor White Paper

Securing Data
Centers: A Unique
Opportunity for ISPs
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions for enterprise and
service provider networks, including the vast majority
of the world’s Internet service providers and many of the
largest enterprise networks in use today. Arbor’s proven
network security and management solutions help grow
and protect customer networks, businesses and brands.
Through its unparalleled, privileged relationships with
worldwide service providers and global network operators,
Arbor provides unequalled insight into and perspective on
Internet security and traffic trends via the ATLAS® Active
Threat Level Analysis System. Representing a unique
collaborative effort with 230+ network operators across
the globe, ATLAS enables the sharing of real-time security,
traffic and routing information that informs numerous
business decisions.
 Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
The Growing Managed Security Services Market
For today’s enterprises, any downtime in their
Internet data center (IDC) operations can
dramatically impact the bottom line. So it
is no surprise that the increasing scale and
frequency of distributed denial of service
(DDoS) attacks are now having a much
greater impact on the business continuity
and profitability of these companies. What’s
more, while DDoS attacks may have been
driven by noneconomic reasons in the past,
they now have major monetary drivers
including extortion, competitive advantage
and corporate revenge.
DDoS threats that impact the availability of services represent
a significant opportunity for Internet service providers (ISPs).
Enterprises and their IDC operators are more concerned about
DDoS than ever before, and ISPs can help them combat these
threats. This white paper explores the security challenges
affecting today’s enterprises and IDC operators, and examines
how ISPs are in a unique position to respond by delivering
revenue-generating, managed DDoS protection services.
The managed security service provider (MSSP) market is
expected to grow to around $4 billion by 2016 in North
America alone, according to Frost & Sullivan. Moreover, the
managed security and security monitoring services segment
will continue to yield the highest percentage of total revenue
in the MSSP market.
“Although budget cutbacks have resulted from the economic
slowdown, companies are continuing to implement measures
to upgrade security,” says Frost & Sullivan Research Analyst
Martha Vazquez. “Outsourcing security to an MSSP will free up
time for organizations to focus on core business processes.”
Enterprises will spend more on network-based security services
from ISPs as they become more comfortable with ISPs provid-
ing these services. Many factors—such as better support, more
mature options, improved service control and faster services—
will increase this comfort level. Today, the majority of MSSP
customers purchase managed security services that are based
on customer premise equipment (CPE). Consequently, customers
might have fewer concerns about purchasing a network-based
security service if it also includes a CPE-based component.
The managed security service provider (MSSP)
market is expected to grow to around $4 billion
by 2016 in North America alone, according to
Frost & Sullivan.
1
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs

The Evolving DDoS Threat

The market demand for managed security services is real and growing. Service providers have
some inherent advantages that enable them to capitalize on this demand because they own
the pipes that transmit data across the Internet. This makes ISPs uniquely well-positioned
to deliver a comprehensive solution that can combat the two primary types of DDoS attacks.

First, they can stop “volumetric” DDoS attacks. These are usually
generated by Internet bots or compromised PCs that are
grouped together in large-scale botnets. Examples include
DDoS attacks against UK-based online betting sites1 where the
hackers extorted the betting firms, and the politically motivated
DDoS attacks against the Georgian government.2 They are
generally high-bandwidth attacks and originate from a large
number of bots that are geographically distributed. Because of
the high-bandwidth and distributed nature of these attacks, the
congestion might occur upstream in the provider’s network and
cannot be stopped at the enterprise or data-center edge.
In addition, a new type of DDoS attack has emerged that
threatens the business viability of service provider customers.
Two days before Christmas in 2009, last-minute shoppers could
not access some of the world’s most popular Internet shopping
sites including Amazon, Expedia and Walmart. A targeted DDoS
attack against UltraDNS,3 a leading provider of domain name
system (DNS) services, took these major retail sites offline. The
attack could have dramatically affected the Christmas shopping
season and the profitability of these retailers if UltraDNS had
This attack revealed the potential impact of DDoS to online
commerce. More importantly, it revealed a new type of
“application-layer” DDoS attack that targets specific services
and consumes lower bandwidth. These new application-layer
DDoS attacks threaten a myriad of services ranging from Web
commerce and DNS services to email and online banking.
Enterprise customers are very concerned with the availability
of critical services running in their data centers. At the same
time, attackers view these Internet-facing data centers as new
prime targets and are launching DDoS attacks to wreak havoc
on these companies. The convergence of volumetric and
application-layer DDoS attacks poses a significant threat to
online services, and customers will be looking for solutions.
$
TARG ET

not been able to detect and stop the attack very quickly.

I M PACT

$ I M PACT

Load Balancer
I M PACT
$
TARG ET
TARG ET
Paid Attacker Botnet Internet Internet Data Center
I M PACT

I M PACT

Load Balancer

Attack Traffic
Legitimate Traffic

1 news.bbc.co.uk/2/hi/technology/4169223.stm DDoS driven by financial motivations

2 www.cnn.com/2009/TECH/08/07/russia.georgia.twitter.attack
3 www.cnn.com/2009/TECH/12/24/cnet.ddos.attack/index.html

2
 Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs

Only ISPs Can Provide the Comprehensive Solution

to Protect Data Centers from DDoS
ISPs can gain a unique advantage by The best place to perform application-layer DDoS detection is
in the data center itself because the attack can only be detected
providing a layered network- and edge-based and quickly stopped at the data-center edge. Only ISPs can
provide both a network-based service component to stop
managed solution to combat both volumetric
volumetric DDoS attacks and a CPE-based service component
and application-layer DDoS attacks. The best to stop application-layer DDoS attacks—representing a distinct
competitive advantage.
place to stop volumetric DDoS attacks is
There are cost efficiencies at work, too. When an ISP is
in the ISP cloud (via network-based DDoS
already supplying a managed firewall, Secure Socket Layer
protection) because the saturation happens virtual private network (SSL VPN), intrusion detection system
(IDS), intrusion prevention system (IPS) and other security
upstream and can only be remediated in the measures, adding an incremental managed DDoS protection
provider’s cloud. service can be relatively straightforward and cost-efficient.

I S P CLEAN I NG LARG E D DoS ATTACKS

CE NTE R

DATA CE NTE R

ISP Firewall

Load Balancer

Firewall

Target Applications
and Services
IDS/IPS IDS/IPS

Attack Traffic APPLICATION LAYE R

Multiple layers of defense required for comprehensive DDoS protection

3
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
Why Traditional Security Products Fail to Address
the Evolving DDoS Threat
Firewalls, IPS and other products are
key elements of your customers’ security
strategy, but these solutions are designed
to provide security functions that are
fundamentally different from dedicated
DDoS detection and mitigation products.
ISP/Internet
CONGESTION
Botnet
Attack Traffic
Legitimate Traffic
Firewalls can actually be the targets of DDoS attacks
4
For example, firewalls are essentially policy enforcement
points that are usually deployed at the network or data-center
perimeter. Their role is to establish and enforce the rules that
govern what traffic is allowed in and out of a data center as
defined by ports, protocols and destinations.
Internet-facing data centers are open to Web traffic (TCP
port 80/443) and other services such as video, voice and file
transfer. DDoS attacks target the very services that firewalls
have to allow through, so there is no inherent DDoS protection
in the firewall layer.
In fact, because firewalls maintain state information for every
session established between a client on the Internet and the
corresponding server in the data center, the firewalls themselves
are commonly the targets of DDoS attacks. What’s more, they
are potentially the single point of failure that disables the data
center during large-scale DDoS attacks. In these cases, it is best
to provide DDoS protection in the ISP network or “cloud” before
it reaches the data center since by that time it is too late.
Data Center
FAILURE
CONGESTION
Firewall
 Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
ISP/Internet
FAILURE
CONGESTION CONGESTION
Botnet
Attack Traffic
Legitimate Traffic
IPS devices are not designed to stop DDoS attacks
IPS/IDS devices are also not designed or positioned to protect
against some denial of service attacks. They are designed to
inspect packets and remove network-based malware through
signature matching. Many times, however, DDoS attack traffic
is not a signature-based threat. Because all IDS/IPS devices
are deployed in-line and suffer from the same resource and
memory exhaustion problems that plague firewalls, they are
also a potential single point of failure on the network and
increase network latency. In these cases, the detection and
removal of DDoS attack traffic is best done in the ISP’s
network either before it reaches the data-center edge or
through off-ramping the malicious traffic.
Data Center
IPS
Some firewalls and IDS/IPS products offer DDoS detection
using techniques such as statistical anomaly detection or
malformed protocol detection. But since firewalls and IDS/IPS
products conduct anomaly detection on a per point basis, they
have a very myopic view of the network. The very nature of a
“distributed” denial of service attack means that the attack traffic
is coming from different sources. Therefore, the solution must
be able to recognize this behavior and stop the traffic as close
to the sources as possible. This is another reason why the
distributed detection and mitigation of DDoS attacks are best
done in the ISP network.
In these cases, it is best to provide DDoS
protection in the ISP network or “cloud” before
it reaches the data center since by that time it
is too late.
5
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs
Peakflow ® SP: The Platform for Comprehensive
Managed DDoS Services
A complete DDoS protection solution must support the following:
• Both in-line and, more importantly, out-of-band deployment
to avoid being a single point of failure on the network.
• True “distributed” DoS (DDoS) attack detection, which
requires broad visibility into the network (not just from a
single network perspective) and the ability to analyze traffic
from different parts of the network.
• Attack detection using multiple techniques such as statistical
anomaly detection; customizable threshold alerts; and
fingerprints of known or emerging threats that are based
on Internet-wide intelligence.
• Mitigation that can easily scale to handle attacks of all sizes,
ranging from low-end (e.g., 1 Gbps of mitigation, deployed
in the data center) to high-end (e.g., 40 Gbps of mitigation,
deployed in the ISP network).
Peering/
Transit Edge
Peakflow SP
Collector Platform (CP) 5500
Peakflow SP
Business Intelligence (BI)
Central Console for Visibility
and Threat Management
6
The solution must also feature managed security service
enablers. These include application programming interfaces
(APIs) for integration with existing systems; the ability to
launch a customer portal easily; provisioning templates; fault
tolerance; and redundancy. Lastly, the solution must be proven
and backed by a company that is a known industry expert in
Internet-based DDoS threats.
The Peakflow SP solution (“Peakflow SP”) is a complete plat-
form that service providers can use to develop comprehensive
managed DDoS services for customers. Today, the majority of
the world’s leading ISPs rely on Peakflow SP for the network-
wide visibility and security they need to proactively fend off
malicious threats, thwart DDoS attacks and strengthen the
quality of their service. Increasingly, these ISPs are leveraging
their investment in Peakflow SP to deliver profitable, new,
in-cloud managed services.
Regional Mitigation
Backbone Center
Peakflow SP
Collector Platform (CP) 5500 Peakflow SP
Threat Management System (TMS) Customer/
1200/2500/3x00/4x00 Hosting Edge
Peakflow SP Peakflow SP Threat Management
Portal Interface (PI) System (TMS) 1200/2500
Peakflow SP Portal Interface (PI)
Peakflow SP
Flow Sensor (FS) Managed Service Customers
Peakflow SP Architecture
Consists of five types of appliances: 1) Peakflow SP Collector Platform (CP)
appliances in the peering edge or backbone; 2) Peakflow SP Flow Sensor
(FS) appliances in the customer aggregation edge; 3) Peakflow SP Business
Intelligence (BI) appliances to increase scalability and add redundancy for
managing criticalss objects; 4) Peakflow SP Portal Interface (PI) appliances
to increase the scale, redundancy and profitability of Arbor-based managed
services; and 5) Peakflow SP Threat Management System (TMS) appliances
deployed in any part of the network to surgically mitigate network threats.
 Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs

40
4000
30 4 x APM (40 Gbps)
3 x APM (30 Gbps)
2 x APM (20 Gbps)
20
8 x 10 GigE ports, 6U, 1 x APM (10 Gbps)
10
3110
10 Gbps, 3U, 2 x 10 GigE ports + 10 x 1 GigE ports
9
Performance (Gbps)

6
3050
5 5 Gbps (software upgrade to 10 Gbps), 3U,
2 x 10 GigE ports + 10 x 1 GigE ports
4

3
2500
2 2.5 Gbps, 2U, 6 x 1 GigE ports, NEBS certified

1200
1
1.5 Gbps, 1U, 4 x 1 GigE ports

Small Provider, Dedicated Deployment Large Provider, Regional

Customer, Small POPs Scrubbing Center, Large POPs

Peakflow SP TMS deployment

Peakflow SP meets the key requirements of a comprehensive

DDoS solution by providing:

• Ability to stop both volumetric and application-layer • Multiple deployment options: Peakflow SP can be
DDoS attacks: Peakflow SP provides the tools to diagnose deployed out-of-band where attack traffic is diverted to
and stop both high-bandwidth DDoS attacks as well as the TMS appliances. The solution can also be deployed
targeted application-layer DDoS targets. in-line or passively.
• True “distributed” DoS attack detection: Peakflow SP • Managed service enablers: Peakflow SP offers a full range
offers true distributed anomaly detection rather than simple of enablers that help ISPs launch network-based service
point-based detection. offerings to their customers.
• Multiple methods of threat detection and mitigation: • Industry expertise backed by a market leader: Arbor
Peakflow SP provides multiple attack detection techniques. Networks is a leading provider of security and network
These range from statistical anomaly detection and management solutions for global business networks, including
threshold-based flood detection to fingerprint-based more than 70 percent of the world’s ISPs and many of the
detection based on the global intelligence in Arbor’s largest enterprise networks in use today.
Threat Level Analysis System (ATLAS®).4
• Scalability to handle all-size threats: Peakflow SP can
detect threats of all sizes by leveraging flow technology in
existing network infrastructure equipment. The solution can also
stop any-size threat by supporting an array of Peakflow Threat
Management System (“TMS”) appliances that provide surgical
mitigation ranging from 1 Gbps to 40 Gbps (see above).

4 atlas.arbornetworks.com

7
Arbor White Paper: Securing Data Centers: A Unique Opportunity for ISPs

Conclusion
DDoS attacks are continuing to rise
and both public and private data centers
are prime targets. Today’s data center
operators are seeking solutions to this
ISPs have a unique opportunity to respond by offering
valuable network- and edge-based services that protect their
customers’ data centers against DDoS attacks and drive
incremental revenue. Peakflow SP is a proven platform that
enables ISPs to develop unique managed DDoS protection
services and help solve this growing threat.

pressing problem.
For more information about the Peakflow SP
solution, visit the Arbor Networks Web site
at www.arbornetworks.com/peakflowsp or
contact an Arbor Networks representative
at www.arbornetworks.com/contact.

8
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/SDC/EN/0612
 Arbor White Paper

The Risk vs. Cost

of Enterprise DDoS
Protection
How to Calculate the ROI from
a DDoS Defense Solution
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions for enterprise and
service provider networks, including the vast majority
of the world’s Internet service providers and many of the
largest enterprise networks in use today. Arbor’s proven
network security and management solutions help grow
and protect customer networks, businesses and brands.
Through its unparalleled, privileged relationships with
worldwide service providers and global network operators,
Arbor provides unequalled insight into and perspective on
Internet security and traffic trends via the ATLAS® Active
Threat Level Analysis System. Representing a unique
collaborative effort with 230+ network operators across
the globe, ATLAS enables the sharing of real-time security,
traffic and routing information that informs numerous
business decisions.

Understanding the Risk of Attack
The data center has evolved from what
was once primarily a provider of enterprise
back-office support services to the
public-facing Internet data center (IDC)
of today. The IDC provides real-time,
business-critical functions such as sales,
communications, customer support and
so on. In many industries, the IDC is the
only vehicle for transacting business
(e.g. ecommerce, gaming, social networking,
online financial services, Web hosting).
Arbor White Paper: The Risk vs. Cost of Enterprise DDoS Protection
A continuing and growing threat to IDC availability is distributed
denial of service (DDoS). Arbor Networks regularly surveys
IDC operators and in cooperation with Internet Service Providers
(ISPs), monitors much of global Internet traffic. Surveys and
monitoring data show that DDoS attacks are occurring with
increasing frequency and severity.1 These attacks impose real
costs and financial risk to businesses that rely on their IDC.
An effective DDoS defense system can safeguard business
operations against DDoS-related outages and a good first step
in deciding whether to invest in such a system is to determine
the expected return on investment (ROI). This paper provides
a simple, step-by-step approach for evaluating the financial
return on investing in a DDoS defense system.
Using industry averages for attack frequency and outage
costs, the results show that investing in an effective
DDoS protection solution, such as the Peakflow® SP Threat
Management System (“TMS”), provides a strong positive ROI
and lowers financial risk. Arbor Networks also provides online
tools and resources to help IDC operators with the technical
and business aspects of investing in DDoS defense.
Few studies focus on the probability that a business will
experience a DDoS attack of significant impact. However,
survey information from Forrester Research and Arbor
Networks provides insight into the risk of such an attack.
Forrester Research conducted a survey of 400 companies
with significant online operations.2 The survey’s objective
was to gather basic information on the DDoS threat to these
businesses, which included online financial services, media,
news, political sites, gaming, entertainment, Web hosting and
ecommerce. Among the results, over 70% reported at least one
DDoS attack in the previous 12 month period. Attack durations
were highly variable, but the most common duration for attacks
that had operational and business impact was two to six hours.
1
Arbor White Paper: The Risk vs. Cost of Enterprise DDoS Protection

Arbor Networks’ annual Worldwide Infrastructure Security
Report1 is an excellent source of more detailed information on
the frequency and nature of DDoS attacks on Internet service
providers (ISPs) and Internet data centers (IDCs). Based on
the responses from 111 ISPs and IDCs, the most recent survey
data shows that these organizations are experiencing a high
frequency of DDoS attacks—equating to multiple attacks per
month (see Figure 1).
McAfee3 also surveyed IT and security executives from seven
industry sectors and found the frequency and impact of DDoS
attacks to be similar to those Arbor reported. In terms of the
impact of DDoS attacks, 84% of ISPs and IDCs reported
incurring operational expenses, and 43% reported customer
churn and revenue loss (see Figure 2).
Hosting providers in particular often have a higher risk of
DDoS attack than stand-alone online businesses because
hosting providers in effect aggregate the risk of all their
customers. An attack on one customer can affect others and
potentially the entire hosting operation because of the heavy
reliance on shared infrastructure. Risk is also a function of
the type of customers being hosted. Sites that engage in
controversial activity, as well as large, visible businesses, are
more likely targets of DDoS than small business Web sites.
However, just one small customer can attract a massive DDoS
response with a single controversial act.

Average Number of DDoS Attacks per Month

50%
None

1-10
Survey Respondents

40%
10-20
30%
20-50

20% 50-100

100-500
10%
500+

0%

Figure 1: Average Number of DDoS Attacks per Month

Source: Arbor Networks Annual Worldwide Infrastructure Security Report, 2010

Impact from IDC DDoS Attacks

90% Operational Expense

80%
Customer Churn
Survey Respondents

70%
Revenue Loss
60%
Employee Turnover
50%
Other
40%

30%

20%

10%

0%

Figure 2: Impact from IDC DDoS Attacks

Source: Arbor Networks Annual Worldwide Infrastructure Security Report, 2010

2
 Arbor White Paper: The Risk vs. Cost of Enterprise DDoS Protection

The capacity to unleash a large DDoS attack is available to

anyone simply by renting a botnet. Figure 3 shows a typical
advertisement for botnet services. Table 1 shows the results
of a survey on botnet rental pricing. In short, the resources
needed to carry out large-scale DDoS attacks are low cost
and readily available.

Botnets are not the only source of DDoS attacks. Social media
sites can coordinate large numbers of willing users to carry out
DDoS attacks as illustrated by the WikiLeaks inspired attacks
in late 2010. Coordinated through Twitter, large numbers of
end users downloaded a simple attack tool and directed
attacks at numerous companies deemed complicit in interfering
with what the users viewed as the legitimate activities of
WikiLeaks. These attacks successfully targeted high profile
Figure 3: Advertisement for Botnet Services4
companies, including PayPal, MasterCard and Visa. The attacks
went both ways as well. The provider hosting WikiLeaks had to
remove the site from its infrastructure because DDoS attacks
directed at WikiLeaks were impacting service to all its customers.
This example illustrates the reality that hosting providers bear Price Duration Hours Bandwidth Mbps
the aggregated risk of their customers.
$20 2 45
The overall impact of a DDoS attack is a function of the time $30 6 45
it takes to detect the attack, the time needed to mitigate it
$50 12 45
and the extent of service degradation both before and after
mitigation. For many IDC operators, detection consists of $70 24 45
simply waiting for customers to complain, and mitigation $75 24 100
consists of dropping all traffic destined to the resource under
$100 24 1,000
attack. This form of mitigation may protect the IDC infrastructure
and other customers, but it completes the attack on the particular $250 24 1,000
target of the DDoS event. If the target is a high-value customer $400 5 5,000
or service, there will likely be financial loss. $600 168 1,000
$900 24 4,750
$1,000 24 4,750
$5,500 168 4,750
$6,000 168 4,750

Table 1: Botnet Rental Pricing 4

3
 Arbor White Paper: The Risk vs. Cost of Enterprise DDoS Protection
Using the survey data (Figures 1 and 2) a conservative estimate
of the number of high-impact DDoS events (events resulting in
outages of at least 2 hours) is shown in Figure 4. The figure
shows the expected number of outages (ranging from 2 hours
to over 24 hours) that a typical IDC will experience over a three
year period. A period of three years is used because ROI is
generally based on a three year time frame.
The cost of outages due to DDoS attacks is comprised of
operational costs and revenue impacts. Lower-impact and
lower-duration attacks may result only in added operational costs.
Higher impact attacks will also negatively affect revenues as
business operations are partially or fully impaired. For Internet
data centers, the elements contributing to the overall cost of
DDoS consist of some or all of the following:
• Personnel time spent addressing and recovering from
the outage.
• Incremental help desk expenses.
• Lost sales.
• Customer credits and refunds.
• Lost employee productivity.
• Cost of customer defections and lost or missed sales.
• Degradation of reputation resulting in higher customer
acquisition costs and a lower rate of business growth.
Modeling the Financial Impact of Attacks
2.0
1.8
Expected Number of Attacks
1.6
Over Three Years
1.4
1.2
1.0
0.8
0.6
0.4
0.2
0.0
Figure 4: Modeling the Financial Impact of Attacks
4
The specifics of how outages result in financial losses vary
with the type of business. Businesses that are transactional
in nature, such as ecommerce, suffer loss as the result of lost
sales that are not made up later and lost future business as
customers go to alternative suppliers on an ongoing basis.
Other IDC-based businesses are service or utility-based such
as hosting services (Web, email, communications). Financial
losses for these businesses result from issuing customer
credits, non-renewal and early termination of contracts and
lost future business. Finally, enterprises with IDCs supporting
business-critical functions experience financial losses as a
result of lost productivity, lost sales and recovery costs.
A generic approach to calculating cost regardless of business
type can be based on the annual company revenue and the
percent dependence of the business on the IDC. Some busi-
nesses, such as ecommerce, are effectively closed when their
IDC is unavailable while other businesses can partially function
during IDC outages. However, for virtually all businesses, the
impact of an outage increases exponentially with the length of
the outage. For example, 40% of businesses surveyed reported
that a 72 hour outage would put their survival at risk.5 Such
impacts that extend beyond the period of the outage itself
can be accounted for as lost future business. Table 2 (page 5)
illustrates this generic approach to estimating the cost of DDoS
induced outages using an example of a business fully reliant on
its IDC and with $50M in annual revenue.
2-6 Hours
6-12 Hours
12-24 Hours
24+ Hours
 Arbor White Paper: The Risk vs. Cost of Enterprise DDoS Protection

Attack Operations Help Desk Lost Current Revenue Loss of Future Business Total Cost
Duration # hours x # staff # hours x calls/hour Enterprise revenue per hour Present value of 1 year lost growth per Attack
Hours x cost/person/hour x cost/call x outage duration x % business loss

2-6 4 x 4 x $75 4 x 25 x $20 $50m/8760 x 4 0% x $50m x 2.49 $ 26,031

6-12 9 x 4 x $75 9 x 25 x $20 $50m/8760 x 9 0% x $50m x 2.49 $ 58,570
12-24 18 x 4 x $75 18 x 25 x $20 $50m/8760 x 18 .25% x $50m x 2.49 $ 428,390
24+ 30 x 4 x $75 30 x 25 x $20 $50m/8760 x 30 .5% x $50m x 2.49 $ 817,773

Table 2: Modeling Cost of Outages Due to DDoS

Attack Duration Hours Expected Number of Attacks Over 3 Years Cost per Attack Expected Cost Over 3 Years
2-6 1.9 $ 26,031 $ 49,459
6-12 1.4 $ 58,570 $ 81,998
12-24 0.9 $ 428,390 $ 385,551
24+ 0.3 $ 817,773 $ 245,320
TOTAL EXPECTED COST $ 762,327

Table 3: Three Year Expected Cost of DDoS Attacks

Combining the DDoS attack risk profile with attack cost Choice of the DDoS protection solution matters. As explained
estimates produces the expected cost over three years, in Arbor Networks’ white paper entitled “The Growing Need
as shown in Table 3. for Intelligent DDoS Mitigation Systems”, traditional perimeter
security products, such as firewalls and intrusion prevention
This cost can now be compared to the alternative of investing systems (IPS), are unable to address the DDoS threat to
in a high quality DDoS defense system, which can be expected availability. To realize the projected benefits of deploying a
to eliminate the extraordinary expenses of dealing with DDoS DDoS defense solution, due diligence is needed on the part
attacks through traditional methods (e.g., black holing customer of the technical staff when selecting a solution.
traffic, removing domains, etc.). The cost of an effective
DDoS protection system is generally a function of mitigation
capacity—that is, how much attack traffic the device can handle. ROI
This example assumes that a system capable of mitigating Initial Investment $100,000
2.5 Gbps is sufficient and can be purchased for $100K. Annual
Year 1 Return—Ownership Costs $229,109
ongoing ownership costs (e.g., support, maintenance, internal
operations, etc.) are about 25% of the purchase price. Year 2 Return—Ownership Costs $229,109
Year 3 Return—Ownership Costs $229,109
Using the data above, Table 4 shows the final results of the
three year net present value (NPV) and ROI of the investment NPV (@10% Discount Rate) $427,054
(not including residual value of the equipment). ROI 587%
Payback 5.2 Months

Table 4: NPV and ROI of a DDoS Defense Solution

5
Arbor White Paper: The Risk vs. Cost of Enterprise DDoS Protection

Modeling Risk
In addition to modeling the best estimate of Figure 5 uses the example model from the previous section to
show the breakeven point and financial sensitivity for protecting
ROI as shown above, it also useful to model specifically against the risk of major attacks that result in
extended outages (24+ hours). The graph depicts the three year
the upside and downside risks of investing
cost of extended outages as a function of attack frequency
in DDoS protection. In a McAfee survey and compares that to the fixed three year cost of DDoS
protection. The breakeven point in this case is a frequency
of enterprises representing a variety of of one major outage every 15 years. Also significant is the
business sectors, respondents estimated difference between the upside and downside risk. The graph
shows that the cost of not being able to effectively address
on average that 24 hours of downtime from DDoS attacks rises very steeply as frequency goes up; thus, the
cyber attack would cost their organization cost exposure of underestimating attack frequency is very high.
In contrast, if the actual frequency is less than expected, the
$6.3M.3 In short, organizations have a cost exposure of having overinvested in DDoS protection is
gradual, bounded by the amount invested and further offset by
strong financial interest in protecting against the benefits of being able to mitigate shorter duration attacks.
losses that result from major attacks. Finally, the graph illustrates how the investment in DDoS
protection replaces a highly uncertain and steep cost curve
with a flat, predictable and relatively low cost curve. This is
clearly a more desirable operating model for financial managers.

Three Year Cost of Major Attacks Causing Outages of 24 Hours or More

$3,000,000

$2,500,000
Three Year Cost

$2,000,000

$1,500,000

$1,000,000

$500,000

$0
Never 1 Event/ 1 Event/ 1 Event/ 1 Event/ 1 Event/ 1 Event/
20 Years 15 Years 10 Years 5 Years 3 Years Year

Figure 5: Three Year Cost of Major Attacks Causing Outages of 24 Hours or More

6
 Arbor White Paper: The Risk vs. Cost of Enterprise DDoS Protection

Conclusion
DDoS attacks on Internet data centers Modeling costs and risks of these attacks provides a useful
tool for evaluating the benefits of investing in sound DDoS
(IDCs) are common and pose a risk protection. Arbor Networks has been protecting Internet-based
businesses from DDoS longer than any other vendor and is
to the financial health and stability
the clear market leader.
of IDC-based businesses.
For more information and tools visit Arbor
Networks at www.arbornetworks.com or contact
Arbor at www.arbornetworks.com/contact.

References
1 Worldwide Infrastructure Security Report, Arbor Networks, 4 Modeling the Economic Incentives of DDoS Attacks:
January 2010. Femtocell Case Study, Vicente Segura and Javier Lahuerta,
Department of Network and Services Security, Telefonica I+D.
2 The Trends and Changing Landscape of DDoS Threats
and Protection, Forrester Consulting, July 2009. 5 Ontrack—2001 Cost of Downtime Survery Results, 2001.
3 In the Crossfire: Critical Infrastructure in the Age of Cyber
War, Authors: Stewart Baker, distinguished visiting fellow
at CSIS and partner at Steptoe & Johnson; Shaun Waterman,
writer and researcher, CSIS; George Ivanov, researcher, CSIS;
McAfee, 2010.

7
Arbor White Paper: The Risk vs. Cost of Enterprise DDoS Protection
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/DDoSPROT/EN/0612
 Arbor White Paper

Protecting IP Services
from the Latest
Trends in Botnet
and DDoS Attacks
Global Insights, Detection Strategies
and Mitigation Methods
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions for enterprise and
service provider networks, including the vast majority
of the world’s Internet service providers and many of the
largest enterprise networks in use today. Arbor’s proven
network security and management solutions help grow
and protect customer networks, businesses and brands.
Through its unparalleled, privileged relationships with
worldwide service providers and global network operators,
Arbor provides unequalled insight into and perspective on
Internet security and traffic trends via the ATLAS® Active
Threat Level Analysis System. Representing a unique
collaborative effort with 230+ network operators across
the globe, ATLAS enables the sharing of real-time security,
traffic and routing information that informs numerous
business decisions.
 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks

DDoS Attack and Botnet Trends

Distributed denial of service (DDoS) attacks first made the news in February 2000
and have maintained a high media profile ever since—a fact made evident by the
following headlines:

“Amazon.com, eBay, Yahoo Crippled by DoS Attacks” — February 2000

“Massive DDoS Attack Hits Internet DNS Root Servers” — October 2002
“MyDoom Becomes the Internet’s Fastest Spreading Worm Ever” — January 2004
“Top Threats in 2006: SQL Slammer & Blaster Worm” — October 2006
“Storm Worm Rages Through Internet Over the Weekend” — January 2007
“Cyber Attacks on Estonia” — May 2007

Victims of these crippling and widespread Internet-based
attacks include Internet service providers (ISPs), enterprises
and broadband subscribers alike. To make matters worse,
Internet service subscribers are often unknowing participants
in the proliferation and execution of many such attacks. This
occurs when hackers covertly pirate subscribers’ high-speed
connections and compromise their PCs—turning them into
zombies that form a huge army of malicious botnets. Remotely
controlled by hackers, these botnets wreak havoc throughout
the Internet by executing all kinds of malware and DDoS
attacks. According to a recent study from Arbor Networks
entitled “Worldwide Infrastructure Security Report, Volume III”
(www.arbornetworks.com/report), botnets and DDoS attacks
are the top concerns of today’s Internet services providers.
Together with large-scale malware, these threats can
severely compromise an ISP’s core equipment, resources
and business-critical IP services.
Emerging technologies introduce additional vulnerabilities
that put today’s networks at even greater risk of security
threats. Service providers around the world, eager to obtain
the operational and competitive advantages of new technical
innovations, are accelerating their deployment of networks
built on high-speed fiber optics and IP-based services, such
as MPLS, IPTV, VoIP and VPN.
Although there clearly is a broad range of benefits available
from these new networks and services, there is an equally
broad range of security threats that can seriously curtail or
even wipe out those benefits. Service providers recognize that
if they are to realize the promise of next-generation IP-based
services, they must understand the nature and power of their
cyber-enemies. Armed with this knowledge, providers can deploy
the necessary solutions designed to defend their networks and
services from the threats that are out there today—and the
ones that surely will emerge in the future.
Deliberate attacks on service provider networks are, and will
continue to be, a major headache for ISPs and their customers.
The U.S. Federal Bureau of Investigation (FBI) estimates that
computer crime costs American companies alone a staggering
$62 billion a year.
For each of the last three years, Arbor Networks has
conducted a survey of service providers in North America,
Europe and Asia to determine their experiences with security
threats. This section provides subjective data from this survey
(Worldwide Infrastructure Security Report, Volume III) in
conjunction with objective findings from the Arbor Security
Engineering and Response Team (ASERT), a world-renowned
group of security engineers and researchers dedicated to
monitoring Internet threats on a 24/7 basis. ASERT mines
and correlates up-to-the-minute global security data, continually
analyzing it to detect and qualify developing Internet threats.

1
Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks

Largest Bandwidth Attacks Reported

100 2002

90 2003
2004
80
2005
70
2006
60 2007
Gbps

50 2008
2009
40
2010
30
2011
20

10

Figure 1: Largest Bandwitch Attacks Reported

Source: Arbor Networks, Inc.

DDoS Attacks Continue to Grow in Size DDoS Attack Protocols

and Frequency
According to data received from the survey, there has been a
140 percent increase in the size of the largest detected DDoS
attack over the last three years. In 2007, the largest observed
sustained attack was 24 Gbps, compared to 17 Gbps in 2006.
Thirty-six percent of the surveyed ISPs reported that they had
observed attacks of over 1 Gbps in 2007. This is significant
because most Internet backbone links are 10 GB and enterprise
circuits are multi-gigabit in size.
Additionally, Arbor research conducted from September 2006
through August 2007, a period of 321 days, revealed that
there were 362,394 DDoS attacks—an average of 1,128
attacks per day.
When asked in the survey “Which protocols were being used
for the largest attacks, considering both packets-per-second
(pps) and bits-per-second (bps)?” the responses were:
Largest Attacks (bps): Forty-three percent of the attacks
were UDP floods (e.g., Smurf attacks or ICMP floods),
19 percent were application attacks (e.g., sending malformed
DNS packets or opening excessive HTTP connections) and
18 percent were TCP SYN attacks.
Largest Attacks (pps): Forty-one percent of the attacks
were UDP floods, 26 percent were TCP SYN attacks and
17 percent were application attacks.
Statistical data recently released by ASERT matches some
of the survey responses:

Attack Subtype Percent of Total Attacks

TCP SYN 15.53

IP Fragment 14.41
TCP Reset 6.45
Private IP Space 1.22
IPNULL Protocol .78
TCPNULL Flag .57
DNS .23

2
 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks

ASERT continues to see dramatic activity in this realm, with ISPs observed that botnets were used for:
thousands of attacks occurring daily. Below is an excerpt of
ASERT’s analysis of the above statistics. • DDoS attacks (71 percent)
• Sending spam (64 percent)
• Transmission Control Protocol (TCP) attacks continue to
• Parts of phishing systems (37 percent)
dominate the DDoS landscape, being both powerful and easy
to launch. Attackers continue to favor this attack for its efficacy • Open proxies (34 percent)
against a wide variety of services and hosts, providing both a • Storing ID theft information (16 percent)
bandwidth-exhaustion attack as well as a system attack on • Other (6 percent)
the host OS and application.
According to survey respondents, these new botnets exhibited
• Although the number of DNS-based attacks (including DNS
the following characteristics:
reflective amplification attacks) has increased, these attacks
still have not grown to the level of popularity of common • They were smaller but more targeted, effective and organized.
vectors, such as IP NULL protocol attacks.
• They employed protected and deployed encryption, peer-peer
• Despite the relatively low prevalence of DNS-based attacks, and MD05 SHA-1 counter reconnaissance.
there was much concern in the past year about DNS
• They were distributed in nature, making the attacks more com-
amplification attacks. But aside from a spike in March 2007
plicated and the location of the master controller more difficult.
when their prevalence matched that of ICMP attacks, DNS
attacks have been relatively infrequent. It is hard to say at
this time if this is an actual relative prevalence or if this is Botnet Growth Patterns
due to the emerging deployments of sensors capable of Recent ASERT research shows that botnet server lifetimes
classifying and mitigating DNS attacks. fall into a very specific pattern commonly referred to as a
long-tailed distribution. The data from this research clearly
indicates that most botnet servers—nearly 65 percent—are
Botnets Are a Top Concern for ISPs
found and disabled within the first day of their operation. This
Botnets, a major problem identified by ISPs, continue to plague
suggests that there are very effective networks for gathering
the Internet. In fact, botnets are considered a growth sector
information about new botnets and sharing it with the right
within the attacker underground, with new code bases, uses
network or system operators. It is this communication that
and operators frequently appearing. For ISPs and network
leads to disabling the host with the botnet IRC server. Overall,
operators, botnets represent a multi-faceted threat. First, they
if a botnet is able to make it past the first day, it has a fair
remain a major source of DDoS attacks. Secondly, they have
chance of surviving for several months or more. Research also
become a serious source of spam email traffic, which burdens
shows that some botnets remain active for nearly a year. The
the email processing infrastructure of all providers. Finally, the
fact that known botnets can operate for this long should be
scanning and attack activity of a large botnet can disrupt normal
a call-to-arms for all ISPs.
network operations and cause outages. For all these reasons,
most ISPs are concerned with largescale malcode, most Apart from a few bursts of activity, between 10 and 20 new
commonly embodied in botnets. botnet servers are found every day. Factoring in the number of
such servers disabled daily, approximately 1500-1800 botnet
Not surprising, much of this concern was corroborated by
servers are currently active—a number that is slowly rising. This
respondents of the survey. When asked “What types of threats
trend is likely to continue as the number of IRC botnet servers
are you most concerned with?” botnets and DDoS attacks
keeps growing for the foreseeable future.
topped the list. The survey results were:

Primary Concerns: Twenty-nine percent of ISPs said botnets

and 24 percent said DDoS.

Secondary Concerns: Thirty-one percent said botnets and

20 percent said DDoS.

3
Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks

Botconomics: The Underground Economy Here are some examples of common advertisements and
of Botnets related costs:
There are many reasons for a miscreant to initiate a botnet
attack. Some attacks have religious or political motivation Item Range of Prices
behind them. Some are simply ego-driven as professional
.net Domain Names $0.05
hackers or script kiddies compete to see who can cause the
most damage by infiltrating the biggest and most secure sites. nasa.gov Domain Names $0.05
With that said, the most serious attacks usually have financial Proxies $0.50 – $3
goals in mind. Extortion, stealing money from compromised
Credit Cards $0.50 – $5
online bank accounts, luring innocent users to phishing sites,
the illegal use of stolen credit cards—these are common Email Passwords $1 – $350
results of botnet attacks. In fact, there is an underground Email Addresses $2/MB – $4/MB
economy emerging to support the building, selling and buying
Compromised UNIX Shells $2 – $10
of botnet attack tools, an economy that Arbor Networks has
coined “Botconomics.™” Social Security Numbers $5 – $7
Mailers $8 – $10
Botconomics is fueling the rapid growth of the botnet world.
Scams $10/week
The simple motivation behind the rise in botnets is money.
Years ago, hackers had to be technically savvy and know how Full Identity $10 – $150
to write code to initiate an attack or create a botnet. Today, Bank Accounts $30 – $400
they can buy and sell that code in online markets, which are
likened to traditional underground markets. In fact, there are
such online communities available to anyone who earns their Often these disreputable sites advertise their botnets via
trust—usually demonstrated by getting a certain quantity of discreet email campaigns. A recently discovered email touted
stolen credit cards, bandwidth or email addresses to build botnet servers that provided:
street credibility. ASERT has uncovered numerous sites
which boldly market their botnets and booty. • Excellent ping and uptime
• Rotating IP addresses
• Different ISPs
• Intuitive user interface
• Online technical support
• SLAs: 100 percent uptime guarantee!

Botnets and attack code continue to evolve as the cat-and-

mouse game between hackers and security vendors reaches
new levels. Today’s hackers are even writing code to evade
current AV databases, disable auto-update functions and
evaluate botnet connectivity speed and availability.

4
 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks
Question & Answer Session
Dr. Craig Labovitz
Why is the number, frequency and intensity of infrastructure
threats rising?
Over the last three or four years, the hacker/miscreant
community has recognized that it is sometimes far more
effective to go after the infrastructure than the end systems.
So the attacker targets a particular Web site based on his
personal or financial motive. Maybe it’s a gambling or porn site,
an online bank or some other cyber community that hasn’t
bent to his wishes or paid his [extortion] demand. By actually
attacking the infrastructure, whether it be upstream routers,
upstream interfaces or even things like the routing protocols,
the attacker can be very effective in taking that institution off
the network. In fact, that is sometimes easier than trying to
attack an individual PC or workstation.
Managed security services is clearly a growth market.
Yet some enterprises may be reluctant to outsource their
security. Generally speaking, who is best positioned to
protect enterprise networks—the service provider or the
enterprise itself? Or is the ideal protection an approach
based on mutual cooperation between the two?
We are seeing a lot of interest in the latter. If the service
provider is your internal network, then it makes sense for
the service provider to offer internal security. In fact, there
are some things only the provider can do. For example, large
bandwidth attacks need to be blocked within the provider’s
network. So it does make sense for many of these services
to be offered in the cloud, where they can be scalable and
provided more effectively.
Are service providers and their customers to be relegated
forever to the reactive mode? Or will they at some point
be able to take the offense and go after would-be attackers
before they attack?
Just like in banking, security is crucial to service providers and
their customers. But I don’t walk into my local bank and worry
about whether there’ll be some type of event while I’m there.
I don’t worry about my money being safe in the bank. It’s not
that bank robberies don’t happen, it’s just that there’s enough
infrastructure in place that it’s not a daily concern. And I pay
for that as a consumer—for the doors, the vaults and all the
additional security. It just becomes part of daily life. It’s often
said about security that it’s always a trade-off with usability.
The Internet is no different.
Today, a large number of folks out there are paying for network
security features including DDoS protection, which most major
service providers offer. These security features are either built
into the basic price or there is a small additional fee. For the
most part, it’s mostly a solved problem—at least for the moment.
We aren’t seeing major sites like eBay, Yahoo! and Amazon
coming under attack today like we did back in 2000. But it’s a
cycle, like anything else. We’re entering a period of increased
risk now as ISPs deploy advanced new services, next-generation
networks, VoIP, convergence and other innovations—giving rise
to more sophisticated zombie armies along with increased bot
command and control. So the cycle continues.
5
Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks
Multiple Advantages of In-Cloud Security
As botnets and DDoS attacks continue to increase in size, frequency and complexity, they
impact not only their target victims, but also the network infrastructure of ISPs that are,
unfortunately, the conduit for these attacks.
As a result, it is imperative that ISPs have the proper level of
cost-effective, pervasive visibility into all network traffic in order
to ensure the optimized delivery of next-generation network
services. This visibility must penetrate all portions of an ISP
network (including its backbone, peering and transit points,
and customer aggregation edges) and cover all layers of the
communications stack (extending from the physical layer,
to routing and ultimately to the application-layer).
But pervasive visibility alone is not enough. ISPs also require
intelligent visibility into their networks in order to:
• Determine what’s “normal” versus “abnormal” network activity
• Conduct BGP route analytics for traffic engineering
• Identify the most cost-effective transit/peering relationships
• Analyze customer traffic for new service opportunities
• Detect and mitigate threats before they impact IP services
and customers
In this day and age when cyber-crimes and attacks require
little expertise, enterprises and ISPs are even more vulnerable
to Internet-based threats, such as botnet and DDoS attacks. It
also is becoming increasingly obvious that threat detection and
mitigation can only be done effectively—both from a cost and
performance perspective—from within the service provider’s
network. Such “in-cloud” security services can deliver multiple
benefits, namely:
Enterprise DDoS Protection
Enterprise customers continue to rely on their ISPs for
business-critical functions such as e-commerce, VoIP, B2B
connectivity, telecommuting and even back-end systems like
CRM (e.g., Salesforce.com). The disruption of these services
can have a major impact on business continuity. Many
enterprises are also beginning to realize that the high cost
and low effectiveness of some in-house security systems
do not make sense—specifically in the case of DDoS attacks.
Therefore, some enterprises are now taking a “layered” approach
and relying on their ISPs for in-cloud DDoS protection services
to detect and mitigate such attacks before they jeopardize
business continuity.
6
New Revenue Opportunities for ISPs
While some ISPs have looked at DDoS attacks as a curse,
others have seized the opportunity to differentiate themselves
and generate new revenue streams from managed security
services. In fact, according to Arbor Networks’ Worldwide
Infrastructure Security Report, Volume III, the number of
surveyed ISPs who offer managed security services jumped
from six in 2006 to 40 in 2007. Below are some examples
of in-cloud DDoS protection services being offered by
various service providers around the world today:
• Belgacom: Clean Internet Services
• British Telecom (BT): Managed DDoS Services
• Cable & Wireless: Anti-Distributed Denial of Service
and Secure Internet Gateway/DDoS Protection
• COLT: IP Guardian
• Rackspace: PrevenTier
• SAVVIS: Network-Based DDoS Mitigation
• TELUS: Managed DDoS Prevention
• The Planet: Peakflow® DDoS Detection
• Verizon Business: DoS Defense Detection and Mitigation
IP Service Assurance for ISPs
In-cloud DDoS detection and mitigation capabilities are not
only new managed service opportunities for an ISP, but they
also serve as network infrastructure protection systems that
help maintain the quality of business-critical services, such
as BGP routing, DNS and Triple Play. Specifically in the case
of Triple Play services, ISPs must maintain a minimum quality
of service (QoS) and reliable performance or risk losing their
customers to the competition. Botnet and DDoS attacks can
dramatically impact the performance and customer-perceived
quality of these services. It is imperative, therefore, that ISPs
have the means to provide in-cloud security services that can
quickly detect and mitigate network-based threats.
 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks
The Best Defense: Anticipating and Mitigating Attacks
With their networks and services under
constant attack by an ever-growing rogue’s
gallery of spammers, phishers, bot herders
and other miscreants, service providers must
invest more and more resources to secure
their networks, reputations and profits.
To better understand and visualize complex networks,
advanced security solutions such as Peakflow SP (“Peakflow
SP”) use relational modeling to learn about a wide range of
relationships on the network. Rather than taking the traditional
approach of studying traffic only at a single point in the
network, these solutions build an internal model of normal
network conversations between/among many different
network participants, including customers, departments, partners,
peers or even the Internet as a whole. After determining the
“normal” state of network operations, these security solutions
apply various types of algorithms to detect any anomalies in
the network.
Built-in anomaly detection capabilities enable solutions
such as Peakflow SP to evaluate potential threats against
a service provider’s or enterprise’s unique network
baseline, virtually eliminating false alarms and making fast,
accurate determinations. In addition, because these solutions
are constantly learning, they do not require the same levels of
tweaking and configuration that characterize many networking
and security technologies. With extensive visibility, service
providers and large enterprises can make informed decisions
about whether they need to increase network capacity—or
whether they can delay infrastructure investments and lower
costs by recovering bandwidth on the existing network. Having
deep visibility into network resources also helps service
providers gain the insight needed for performing traffic planning,
making peering arrangements, conducting market-to-market
analyses and analyzing routing patterns.
Multiple Methods of Threat Detection
and Mitigation
The Peakflow SP platform is a comprehensive threat
management solution capable of detecting, mitigating and
reporting on many types of network threats. The Peakflow
SP solution has the ability to detect attacks based on the
following methods:
Misuse
Peakflow SP can be configured to detect high packet rates
for specific types of network traffic, such as DNS, ICMP, IP
fragments, IP null packets, TCP NULL, RST and SYN frames.
Many DDoS attacks utilize these vectors to saturate or bring
down circuits, servers or other IP services.
Abnormal Behavior
By profiling normal traffic levels, Peakflow SP can detect
anomalous traffic shifts in the network. Consequently, service
providers can detect availability threats before they impact a
customer’s service.
Attack Fingerprints
The Arbor Security Engineering and Response Team (ASERT)
conducts threat analysis on a global basis. One of the
by-products of ASERT’s research is attack “fingerprints.” These
fingerprints are the specific network behavioral patterns that
individual attacks exhibit on the wire. Once these fingerprints
are loaded into the Peakflow SP product, they become active
security policies and can alert network operations and security
personnel to violations.
BGP Hijacking
Sometimes referred to as “IP hijacking,” BGP hijacking is the
illegitimate take-over of groups of IP addresses by corrupting
Internet routing tables. BGP hijacking is sometimes used by
malicious users to obtain IP addresses for spamming or
launching a DDoS attack.
Dark IP Space Monitoring
Peakflow SP considers any traffic that it sees as destined for
unallocated dark space as malicious traffic. This traffic includes
IP addresses that might perform host and port scans. A signifi-
cant increase in dark IP traffic could indicate new malware,
worms or other threats propagating across the network.
7
Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks

Once Peakflow SP detects an attack, the solution offers multiple The FSA allows ISPs to easily share fingerprint information
methods of mitigation, such as: with each other using their Peakflow SP products. The objective
is to stop the proliferation of attacks as close to their source
Access Control Lists as possible. When a peer Autonomous System Number (ASN)
Peakflow SP can generate an access control list (ACL) for shares an attack fingerprint, ISPs can either accept the finger-
an attack with unique characteristics that can be defined using print or reject it. If ISPs accept the fingerprint, they can monitor
Layer 3-4 access controls. The ACL can then be manually any alerts that generate from that fingerprint. This will reveal
entered into key routers to mitigate an attack. any matches to the network behavioral traffic patterns seen
and reported by Peakflow SP. ISPs can then choose to
Black-Hole Routing mitigate that traffic using the various mitigation techniques
Peakflow SP can easily be integrated into the BGP routing that Peakflow SP makes available to them.
environment of any network. Peakflow SP can be configured
to conduct BGP black-hole routing or off-ramping for an attack
The Triple Threat to Triple-Play Success
that must be dropped at the peering edge of the network. All
traffic to the destination host or network is null-routed or sent Although the deepest possible visibility into network resources
to a next hop for inspection. has always been vital to service providers, it promises to become
even more so as ISPs migrate their networks to IP/MPLS-based
BGP Flow Spec infrastructures and execute on their triple-play voice/video/data
BGP flow spec provides a way to populate traffic filters strategies. In fact, service providers face a major threat to their
through the BGP control plane. Peakflow SP can leverage ability to deliver the triple play.
routers with flow spec capabilities by transferring records over
The above-mentioned mitigation techniques are quick, cost-
a BGP session between Peakflow SP and the routing infra-
effective ways to stop an attack and/or reduce the collateral
structure. ISPs can use flow spec to create a firewall or access
damage associated with an attack. However, in many cases
control type functionality to IP-reachable resources within the
these techniques also complete the attack by taking the target
network. This allows ISPs to surgically and dynamically provide
address(es) offline. The best way to stop an attack is to remove
filters to specific routers in the network through well-known
only the attack traffic while allowing the legitimate traffic to
control channels.
continue to flow. This is often referred to as scrubbing or
Third-Party Mitigation surgical mitigation.
Peakflow SP can be configured to off-ramp network traffic
The Peakflow SP Threat Management System (Peakflow SP
to a filtering device. Currently, Peakflow SP only supports
TMS) augments the network-wide situational awareness of the
Cisco Guard.
Peakflow SP platform with application-layer attack detection
Fingerprint Sharing and surgical mitigation.
One of the most unique features in the Peakflow SP solution
is something called “fingerprint sharing.” Fingerprints are net-
work behavioral patterns of known or emerging threats. These
fingerprints are created by ASERT and distributed to Peakflow
SP customers via a service called Active Threat Feed (ATF).
Since DDoS attacks can traverse multiple service provider
networks, Arbor created and helps facilitate an inter-service
provider group called the Fingerprint Sharing Alliance (FSA).

8
 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks

The Peakflow SP TMS device is a critical and fully integrated
component of the Peakflow SP solution. Using deep packet
inspection (DPI), Peakflow SP TMS provides application-layer
insight, alerting and surgical mitigation. It enables service
providers to protect their networks from the full spectrum of
security threats, including botnets, DNS attacks, DDoS, worms,
phishing, spam and spyware-all from a single console. Other
key features of the Peakflow SP TMS device include:
Packet Sampling
The Peakflow SP TMS device can conduct on-demand packet
capture and provide limited packet decode.
Stacking
Up to three Peakflow SP TMS 2700 devices can be stacked
together, forming a single logical unit that increases the total
mitigation capacity to 8 Gbps.

By fusing flow-based network intelligence with deep packet

Advanced Threat Countermeasures
processing, the Peakflow SP TMS device enhances the
Peakflow SP TMS can surgically mitigate threats using the
networkwide visibility of the Peakflow SP platform with more
following application-layer countermeasures:
granular, application-level visibility, providing ISPs with
• White and Black Lists: Determine if specific hosts are allowed application-layer mitigation, security and reporting capabilities.
(i.e., white listed) or not allowed to pass through the Peakflow
SP TMS device (i.e., put on a black list and scrubbed).

• Detailed Filters: Detect and block traffic that matches

user-defined details, such as host/destination IP addresses,
port numbers, TCP/UDP header flags, etc.

• HTTP Object and Rate Limiting: Detect and block traffic

coming from hosts that exceed user-defined thresholds for
the number of HTTP requests/second and HTTP objects
downloaded/second.

• Malformed Packets and DNS Authentication: Detect and

block traffic that is coming from hosts sending malformed
DNS requests, or when DNS authentication does not occur
in a specified time period.

• Idle Connection Timeouts and TCP SYN Authentication:

Detect and block TCP connections that remain idle for too
long, or cannot be authenticated by the Peakflow SP TMS
device within a specified timeout.

• Zombie Detection: Detect and block traffic from hosts that

exceeds a user-defined threshold for packets-per-second
(pps) or bits-per-second (bps).

• Baseline Enforcement: Detect and block traffic per managed

object (e.g., network interface) that exceeds the normal
packet rate or protocol distribution baseline as automatically
determined by the Peakflow SP system.

9
Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks

Managed DDoS Protection Services

One of the current ISP trends is the rise Operating expenses and other costs are being kept to a
minimum in order to ensure that these products and services
in capital expenditures (CapEx) and the are indeed profitable. Investments must solve multiple business
problems and align with company strategies. In other words,
lowering of operation expenses (OpEx).
purchased products must leverage as much of the ISP’s
As capital is being spent on infrastructure existing infrastructure and human resources as possible.

build-out and delivery of new services, Peakflow SP is just such a strategic investment. As it is
being used by network operations and security teams for
there is a keen eye on the bottom line. cost-effective, pervasive network visibility, routing/peering
analysis, traffic engineering and infrastructure security
(e.g., DDoS detection), it can simultaneously be used by
product managers to deliver new revenue-generating
services, in particular, DDoS protection services. That’s
because Peakflow SP has key features such as virtualization
capabilities, templates and APIs that allow service providers
to share and customize their services for multiple customers—
thereby lowering the total cost of ownership and increasing
profits. In fact, many of the previously mentioned managed
DDoS protection services utilize Peakflow SP and Peakflow
SP TMS products.
Web Portal

Service Provider Enterprise

Peakflow SP

Powered by

Welcome to Arbor Networks’ Peakflow SP

Please Authenticate

Username

Password
POWERED BY
LO G I N

Figure 2: Through a customer-facing, secure Web portal, enterprise

customers can access reports and examine traffic patterns inside their
service provider’s network.
Source: Arbor Networks, Inc.

10
 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks
Conclusion
With DDoS attacks and other network
security threats on the rise, ISPs and large
enterprises are more vulnerable than ever
before. The Peakflow SP solution provides
cost-effective and pervasive visibility into
the network.
As a complete threat management solution, it enables ISPs
to protect their network infrastructures and IP services against
the full spectrum of security threats, such as DDoS attacks
and botnets. Simultaneously, Peakflow SP can serve as a
platform for service providers to offer new in-cloud managed
DDoS protection services to their enterprise customers.
Links to related products and services:
• Peakflow SP Data Sheet
• Peakflow SP TMS Data Sheet
• ATLAS™ Global Threat Intelligence
• Arbor Security Blog
11
Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/IPSERVICES/EN/0612
 Arbor White Paper

Layered Intelligent
DDoS Mitigation
Systems
Why Internet Service Providers are in a
Unique Position to Deliver Layered DDoS
Attack Protection Services
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions enterprise and service
provider networks, including the vast majority of the world’s
Internet service providers and many of the largest enterprise
networks in use today. Arbor’s proven network security and
management solutions help grow and protect customer
networks, businesses and brands. Through its unparalleled,
privileged relationships with worldwide service providers
and global network operators, Arbor provides unequalled
insight into and perspective on Internet security and traffic
trends via the ATLAS® Active Threat Level Analysis System.
Representing a unique collaborative effort with 230+
network operators across the globe, ATLAS enables the
sharing of real-time security, traffic and routing information
that informs numerous business decisions.

The Growing and Evolving DDoS Threat
Whether you’re an ISP, a hosting company,
a data center operator offering “cloud
services,” or all of the above, you are no
doubt facing multiple business challenges.
Increasing competition; corporate pressure to
expand market share, ARPU and profitability;
shrinking staff size; and reduced
CAPEX/OPEX budgets. Today’s business
environment is clearly tougher than ever.
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
Given these challenges, how do you retain existing customers—
and attract new ones? One approach is to offer customers more
high-valued services, such as managed security. As the size,
frequency and complexity of DDoS attacks increase, security
and availability are your customers’ top requirements. Further
complicating matters, traditional security products, such as
firewalls or intrusion prevention systems, are inadequate when
it comes to stopping today’s volumetric and application-layer
DDoS attacks.
The solution? A layered Intelligent DDoS Mitigation System
(IDMS). This paper examines some of the latest DDoS attack
trends and provides some best practices when it comes to
delivering a layered DDoS protection service that can help
maintain availability and security. It also highlights how the
Peakflow® SP solution (“Peakflow SP”), Peakflow Threat
Management System (“TMS”) and Pravail™ Availability
Protection System (“APS”) can provide a comprehensive
and layered IDMS solution that extends from the data center
to the ISP cloud.
Over the last two years, the term “DDoS attack” has made its
way into the public media stream. Today, even non-technical
people are aware of the existence and potential impact of
such attacks. In years past, DDoS attacks have been dominated
by “volumetric” attacks usually generated by compromised
PCs that are grouped together in large-scale botnets. Some
well-publicized examples include the DDoS attacks against
UK-based online betting sites1 where the hackers extorted
the gambling firms, and the politically motivated DDoS attacks
against the Georgian government.2 This type of DDoS attack
is generally high bandwidth and originates from a large number
of geographically distributed bots. The size of these volumetric
DDoS attacks continues to increase year over year, and they
remain a major threat to enterprises and ISPs alike. In fact,
according to Arbor’s sixth annual Worldwide Infrastructure
Security Report (2010), the largest reported DDoS attack
was 100 Gbps—representing a 100% increase over the size
of attacks reported the prior year.
1 news.bbc.co.uk/2/hi/technology/4169223.stm
2 www.cnn.com/2009/TECH/08/07/russia.georgia.twitter.attack
1
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

110 2002
100
100 2003

90 2004

80 2005

70 2006
Gbps

60 2007
49 2008
50
40 2009
40
2010
30 24
20 17
10
10
0.4 1.2 2.5
0

DDoS attack size over time

Source: Arbor Networks, Inc.

Not only are attacks increasing in size, but they are also
increasing in complexity as new types of DDoS attacks
continue to emerge and threaten the availability of Internet-
facing businesses and services. Conduct a quick search on
the Internet and it’s not difficult to find media coverage regarding
online banking, e-commerce and even social media sites that
have been victims of application-layer DDoS attacks.
The motivation? Most of the time it’s for financial gain, but
other incentives include political “hacktivism” or just plain old
ego. And thanks to a growing trend of do-it-yourself attack
tools and “botnets for hire,” even a computer novice can
execute a successful DDoS attack.
For example, possibly one of the most publicized series of
DDoS attacks happened in 2010 when a group of Wikileaks
supporters and hacktivists known as “Anonymous” used social
media sites to recruit and instruct supporters on how to
download, configure and execute an application-layer DDoS
attack against several targets (the group called these attacks
“Operation Payback”). For those supporters who were not
computer-savvy enough to conduct the DDoS attacks
themselves, there was an option to “Volunteer your PC for
the Cause,” in which case a member of Anonymous would
take over the supporter’s PC and make it part of the botnet!
The bottom line: Never before has it been
easier to execute a DDoS attack.

2
 Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

Two Classes of DDoS Attacks
Though there are many attack vectors, DDoS attacks can be
categorized into two main classes:
• Volumetric Attacks: These are “flooding” type attacks that
are designed to saturate and consume network bandwidth
and infrastructure. Examples include ICMP, UDP or TCP
SYN floods.
• Application-Layer Attacks: These attacks use much less
bandwidth than volumetric attacks. They are therefore harder
to detect and designed to target specific applications/services
where they slowly exhaust resources. Examples include
HTTP or DNS attacks.
Cloud Services and Internet-Facing Data Centers
Are at Risk
Today’s IT industry is buzzing with all kinds of information and
marketing related to “cloud” services. Once considered esoteric,
cloud services are fast becoming part of normal computing
environments and are expected to grow in the future. For
example, the analyst firm Yankee Group estimates: “Enterprise
cloud services generated U.S.$9.2 billion in revenue worldwide
in 2010, and forecasts that number to grow to U.S.$22.3 billion
in 2014, a CAGR of 30 percent.” 3
But these numbers could be even larger if it weren’t for the
security and availability concerns of enterprise customers.
The chart on the following page shows the results of a Yankee
Group survey that asked enterprises, “What are your five main
attributes when choosing a cloud service provider or partner?”

Application-Layer DDoS Impact

ISP 1 Internet Data Center

EXHAUSTION
OF SERVICE

Local I S P

ISP 2

SATURATION
Firewall IPS
Load Balancer

ISP n
Target Applications
Volumetric and Services
DDoS Impact

Attack Traffic
Volumetric and application-layer DDoS attacks Legitimate Traffic

3 2011 Enterprise Cloud Services Forecast: Revolution or Evolution, Cloud Is Moving

Fast—January 10, 2011, Yankee Group

3
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

Private Cloud Managed Public Cloud Attackers find Internet data centers attractive for the
70 % following reasons:
60 %
• The shared resources and multi-tenant nature of IDCs
50 % allow attackers to cause much collateral damage.
Respondents

40 % In other words, they get “more bang for the buck!”

30 % • Many times IDCs are running high-profile, mission-critical

20 %
applications. This makes them ripe targets for extortion.
By targeting such data centers, attackers are simply following
10 %
the old saying “go where the money is.”
0%
Security Cost Service Customer Vendor • Virtualization is a big part of data centers. This not only
Availability Support Sustainability/
Financial Health brings benefits but also opens up a whole new set of
Security is a requirement for cloud services security challenges. For example, how do you get visibility
Source: Yankee Group into the virtual environment to protect it from inter-VM
(virtual machine) attacks?

As the chart clearly shows, security and availability are major Today’s attackers view Internet-facing data
concerns for enterprises. Therefore, it behooves service
centers as one of the new prime targets and
providers who offer (or plan to offer) cloud services to
are constantly launching DDoS attacks against
convince their prospects that they have the ability to secure
and maintain the availability of their (and their customers’)
these infrastructures for financial gain.
business services.

Data centers lie at the heart of every service provider’s cloud

service. Not surprisingly, enterprises and Internet data center
(IDC) operators are very concerned with the availability of the
critical services running in their data centers. But are these
concerns warranted? Absolutely. Today’s attackers view
$
Internet-facing data centers as one of the new prime targets TARG ET
and are constantly launching DDoS attacks against these
infrastructures for financial gain.

I M PACT

$ I M PACT

Load Balancer
I M PACT
$
I NTE R N ET I NTE R N ET DATA CE NTE R TARG ET
TARG ET
Paid Attacker Botnet
I M PACT

I M PACT

Load Balancer

DDoS driven by Attack Traffic

financial motivations Legitimate Traffic

4

Stopping Volumetric and Application-Layer DDoS Attacks
To Summarize Thus Far
1. Attacks are getting larger (i.e., volumetric attacks are
getting bigger).
2. Attacks are getting more sophisticated (i.e., new application-
layer attacks or combined volumetric and application-layer
attacks are becoming more common).
3. Data center attacks are getting more frequent (i.e., multi-ten-
ant, Internet-facing data centers are becoming the new prime
targets for attackers).
With that in mind, today may be the most challenging time ever
faced by data center operators and security teams. Fortunately,
there are best practices and products such as Intelligent
DDoS Mitigation Systems (IDMS) that service providers can
rely upon to help maintain the availability and security of their
business services.
A Layered Approach and the ISP’s Role
Today’s attacker uses a combination of 1) volumetric and
2) application-layer attacks to execute multi-vector threats. To
stop both of these attacks, you need to take a layered approach.
That is, you must offer a combination of network-based (in the
ISP’s network or “cloud”) and data center-based DDoS attack
detection and mitigation.
ISP Cleaning Center
ISP
Firewall
IDS/IPS
Multiple layers of defense required for Attack Traffic
comprehensive DDoS protection Legitimate Traffic
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
Industry best practices have proven that:
1. The best place to stop volumetric DDoS attacks is in the
ISP’s cloud (via network-based DDoS protection). By the
time the attack reaches the data center, it’s usually too late
to mitigate because it has already overwhelmed the network
infrastructure or security devices (i.e., in-line firewalls and
IPS). You must rely on the network-based DDoS protection
of your ISP to stop these types of attacks.
2. The best place to perform application-layer DDoS detection
and mitigation is in the data-center edge. Because these
attacks are usually much smaller than volumetric attacks,
they are harder to detect and stop in the ISP’s network.
A data center edge-based DDoS protection system gives
operators the ability to customize detection and mitigation
for the unique applications running in their data center.
Since today’s DDoS attacks require detection and mitigation
capabilities both in an ISP’s network and in the data center,
it’s easy to see how an ISP can deliver a valuable and compre-
hensive DDoS protection service to customers. If you are not
an ISP, speak with your ISP(s) about how best to deploy such a
managed security service. For example, you could take a hybrid
approach where the ISP offers network-based DDoS protection
for volumetric attacks while the data center operator handles
data center-based protection for application-layer attacks.
Large DDoS Attacks
Data Center
Firewall
Load Balancer
Target Applications
and Services
IDS/IPS
Application Layer Attacks
5
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
Why Firewalls and IPS Fail to Stop DDoS Attacks
Today, many security teams mistakenly
rely on traditional security products
such as firewall and IPS devices to
protect themselves from DDoS attacks.
Though these devices are essential
elements of the well-known Information
Security Triangle that seeks to protect
the confidentiality, integrity and availability
of data and services, they cannot stop
all DDoS attacks. In fact, they can make
matters worse. IPS devices, for example,
block break-in attempts that cause
data theft. Meanwhile, a firewall acts as
policy enforcer to prevent unauthorized
access to data.
6
While such security products effectively address network
integrity and confidentiality, they fail to address a fundamental
concern regarding DDoS attacks—network availability. What’s
more, IPS and firewall devices are configured to allow the exact
protocols that hackers use for attacks (i.e., TCP port 80). Since
they are “stateful”, in-line solutions, these devices are vulnerable
to DDoS attacks and often become the targets themselves. The
table below provides other reasons why traditional on-premise
security products such as firewall and IPS devices do not offer
adequate DDoS attack protection.
Y
LI T
TIA
IN
EN
TE
ID
GR
NF
IT Y
Data &
CO
Services
Key elements of an information
AVAILABILITY security strategy
Why Existing On-Premise Solutions Fail to Address DDoS Security
Vulnerable to DDoS attacks
• Because these devices are in-line, stateful devices, they are
vulnerable and targets of DDoS attacks.
• First to be affected by large flood or connection attacks.
Complicated to use
• Require skilled security experts.
• Demand knowledge of attack types before attacks.
Failure to ensure availability
• Built to protect against known (versus emerging) threats.
• Designed to look for threats within single sessions, not across sessions.
Protection limited to certain attacks
• Address only specific application threats.
• By default, they must allow common attack traffic such as TCP port
80 (HTTP) or UDP port 53 (DNS). Do not handle attacks containing
valid requests.
Deployed in wrong location
• Fail to interoperate with cloud DDoS prevention solutions.
• Increase time for response to DDoS.
Incompatible with cloud DDoS protection systems
• Require skilled security experts.
• Demand knowledge of attack types before attacks.

The Solution: Layered Intelligent DDoS Mitigation
Systems (IDMS)
The limitations in IPS devices and firewalls
reveal the key attributes required in an
IDMS solution. An IDMS must be “stateless.”
In other words, it must not track state for all
connections. A stateful device is vulnerable
to DDoS and will only add to the problem.
The IDMS solution must also support various
deployment configurations; most importantly,
it must allow for out-of-band deployments
when needed. This deployment flexibility
can increase the scalability of the solution,
which is a requirement as the size of DDoS
attacks continues to increase.
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
To truly address “distributed” DoS attacks, an IDMS must be a fully
integrated solution that supports a distributed detection method.
IPS devices leveraging single segment-based detection will miss
major attacks. Moreover, an IDMS solution must not depend on
signatures created after the attack has been unleashed on the
targets; rather, it must support multiple attack countermeasures.
As mentioned previously, a layered approach is recommended
to detect and stop both volumetric and application-layer DDoS
attacks. Therefore, the ideal IDMS should be able to support
both a network-based (in the ISP’s cloud) and a data center-based
deployment. In addition, both the ISP cloud-based and data
center-based IDMS devices should be able to communicate with
each other to coordinate mitigations during a multi-vector attack.
Finally, an IDMS must provide comprehensive reporting and be
backed by a company that is a known industry expert in
Internet-based DDoS threats.
The table below summarizes the key features of IDMS.
Key Features of an IDMS Solution
Stateless
Inline and Deployment Options
Scalable DDoS Mitigation
Ability to Stop “Distributed” DoS Attacks
Multiple Attack Countermeasures
Comprehensive Reporting
Support of Both Network and Data Center-Based Deployment,
with Active Communication
Industry Track Record and Enterprise
7
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

In-Cloud DDoS Protection

Scrubbing Center

Peakflow SP TMS Cloud Signaling

Cloud Internet Data Center

ISP 1
Signaling

Local I S P

ISP 2

Firewall IPS
Load Balancer

ISP n Pravail APS

Target Applications
CPE-Based and Services
DDoS Protection

Attack Traffic
Legitimate Traffic
Arbor Networks’ layered DDoS protection solution

Arbor Networks’ Solution for a Layered Pravail® Availability Protection System (“Pravail APS”)
DDoS Protection Service To help protect data centers against DDoS attacks, Arbor
Arbor Networks has been in the business of Internet-based offers Pravail APS.
threat analysis since 2000. During this time, Arbor has gained
Cloud SignalingSM
a reputation as being an industry leader in botnet/DDoS
By combining its solutions, Arbor offers a powerful capability
attack analysis, detection and mitigation. Today, Arbor offers
known as Cloud Signaling, which allows a data center-based
the following network security solutions:
Pravail APS appliance to actively communicate with a
network-based Peakflow SP and TMS deployment—enabling
Peakflow® SP solution (“Peakflow SP”) and
a comprehensive, layered DDoS protection solution. The
Peakflow® SP Threat Management System (“TMS”)
next few pages highlight some of the key features of each
Today, a majority of the world’s ISPs rely on Peakflow SP of these products.
and TMS to help protect their network infrastructure and
deliver network-based DDoS protection services to their
customers. Together, Peakflow SP and TMS offer an ideal
network-based IDMS.

8
 Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

In the ISP’s Cloud: Peakflow SP and Threat In the Data Center: Pravail Availability
Management System (TMS) Protection System (APS)
The combination of Peakflow SP and TMS is the ideal in-cloud Pravail APS focuses exclusively on stopping availability threats
IDMS solution for DDoS mitigation. As the first network-based such as DDoS attacks. Data center operators can deploy
system to extensively integrate carrier-class threat mitigation with Pravail APS in front of services to stop application-layer
threat detection, TMS can stop both volumetric and application- attacks and disrupt botnet communications.
layer attacks without interrupting the flow of legitimate traffic
in an ISP’s cloud. The TMS 4000 appliance easily expands With Pravail APS, a data center operator can:
from 10 Gbps to 40 Gbps of surgical mitigation for network
• Detect and block emerging application-layer DDoS attacks.
and application-layer attack countermeasures for HTTP(s),
SIP and DNS—enabling it to address the growing and evolving • Deploy a turnkey solution to stop threats immediately.
DDoS threat. • Accelerate responses to DDoS attacks to prevent legitimate
services from going down.
The Peakflow SP and TMS solution also offers a large set of
reports for comprehensive DDoS attack analysis. Its many • Prevent illegitimate botnet communications by leveraging
features are designed to enable a managed network-based real-time security intelligence from Active Threat Level
DDoS protection service. Analysis System (ATLAS®).
• Mitigate volumetric attacks by coordinating with Cloud
Signaling-enabled providers.
TMS Mitigation Status DOWN LOAD E MAI L PR I NT

Summary Countermeasures

Name: Alert: Prefix: Template:

foofoobar None 42.12.32.0/24 None Timeframe: 1 minute Sample Packets
Device Group: Managed Object: Start Time: Stop Time:
Status Countermeasure Dropped Passed
my-all 2-net 15:49, Jan 30 Ongoing
+ ON Invalid Packets 14.4 Mbps 1.4 Kpps
Edit Start Stop
+ ON Black/White List 3.6 Mbps 1.4 Kpps 1.4 Mbps 14.4 Kpps
+ ON Zombie Detection 1.6 Mbps 1.4 Kpps

5 Minutes 30 Minutes Summary – ON TCP SYN Authentication 901.2 Kbps 1.4 Kpps

Enable TCP SYN

3.0 Mbps Authentication
TCP SYN Example: ‘90’ (Leave blank to use default ‘60’)
Authentication Idle 60 seconds
2.0 Mbps
Enable HTTP
Authentication
1.0 Mbps
HTTP Authentication Example: ‘80’ (Leave blank to use default ‘80, 8080’)
Ports
0 Mbps
17:01 17:05 17:09 17:13 17:17 17:21 17:25 17:29
Save

Pass bps Drop bps

200 Kbps
Total Per TMS Per Countermeasure (top 3) Per Countermeasure (all)
100 Kbps

0 bps
1 Minute 5 Minute Summary 17:32 17:32 17:32
Dropped: 8.8 Kbps 41.7 Kbps 85.9 Kbps
Passed: 253.9 Kbps 1.2 Kbps 2.5 Kbps
+ ON DNS Authentication 576.8 Kbps 1.4 Kpps
Total: 262.6 Kbps 1.2 Kbps 2.6 Kbps
Percent Dropped: 3.34% 3.34% 3.34%
+ ON TCP Connection Reset 400.5 Kbps 1.4 Kpps

Blocked Hosts: 0 bps 0 bps 0 bps + ON Payload Regular Expression 294.3 Mbps 1.4 Kpps
+ OFF Source/24 Baselines

Add Comment Show All

+ OFF Protocol Baselines
– ON DNS Malformed 144.2 Kbps 1.4 Kpps

Real-time alerting and mitigation dashboard

Pravail APS application-layer visibility and security

9
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

Scrubbing Center

Peakflow SP TMS Cloud Signaling: “Help stop the volumetric attack!”

Internet Data Center

ISP 1

Local I S P

ISP 2

Firewall IPS
Load Balancer

ISP n Pravail APS

Target Applications
and Services

Attack Traffic
Legitimate Traffic
The bridge between cloud-based and premise-based DDoS protection

The Active Link Between the Cloud and the By facilitating the communication from the
Data Center: Cloud Signaling on-premise Pravail APS appliance to the
Because many volumetric attacks (i.e., those greater than cloud-based Peakflow SP and TMS solutions,
the available bandwidth) cannot be stopped on premise, they the data center operator can shorten the time
require ISPs to mitigate the attacks in their network (in-cloud). to resolution for DDoS attacks.
At the same time, many cloud-based DDoS services cannot
efficiently or quickly detect and stop lower-level application
DDoS attacks.

As a result, data center operators need a comprehensive

DDoS solution with both cloud and on-premise protection
to ensure optimal availability. Cloud Signaling is the glue that
binds such a solution.

10

Conclusion
There’s no doubt that as DDoS attacks
become easier to execute, they will
continue to increase in size, frequency
and complexity. Though IPS devices and
firewalls are effective tools in addressing
network integrity and confidentiality, when
it comes to DDoS protection, they provide
a false sense of security and are inadequate
at protecting network availability.
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
To defend data centers against today’s volumetric and
application-layer attacks, one must take a layered approach
and deploy Intelligent DDoS Mitigation Systems (IDMS) in
both the ISP’s cloud and the data center. This provides ISPs
with a unique opportunity to offer their customers a high-valued,
comprehensive DDoS protection service. ISPs (or other
Managed Security Service Providers) can rely on Peakflow
SP, Threat Management System (TMS), Pravail Availability
Protection System (APS) and Cloud Signaling capabilities—
as well as Arbor’s industry-recognized expertise—to deliver
such comprehensive DDoS protection solutions.
For more information about Peakflow SP,
TMS and Pravail APS solutions, visit the Arbor
Networks Web site www.arbornetworks.com
or contact an Arbor representative at
www.arbornetworks.com/contact.
11
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/IDMS/EN/0612
 Arbor White Paper

Why IPS Devices and

Firewalls Fail to Stop
DDoS Threats
How to Protect Your Data Center’s Availability
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network security
and management solutions for next-generation data centers
and carrier networks. Arbor’s proven solutions help grow
and protect our customers’ networks, businesses and
brands. Arbor’s unparalleled, privileged relationships with
worldwide service providers and global network operators
provide unequalled insight into and perspective on Internet
security and traffic trends via ATLAS—a unique collaborative
effort with 100+ network operators across the globe sharing
real-time security, traffic and routing information that informs
numerous business decisions. For technical insight into the
latest security threats and Internet traffic trends, please visit
our Web site at arbornetworks.com and our blog at
asert.arbornetworks.com.

The Growing and Evolving DDoS Threat
As e-commerce continues to proliferate and
deliver profitable results, more business is
being done online. The growing adoption of
online retailing, Internet banking, cloud-based
data storage and other commercial services
represents a natural evolution of Internet
use. For online businesses, however, any
downtime can dramatically impact the
bottom line. As a result, the growing scale
and frequency of distributed denial of service
(DDoS) attacks are taking a toll on these
businesses. While DDoS attacks may have
been driven by non-economic reasons in
the past, they now have monetary drivers
including extortion, competitive advantage
and corporate revenge.
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
When it comes to DDoS protection, many enterprises and
Internet data center (IDC) operators have a false sense
of security. They think they have secured their key services
against DDoS attacks simply by deploying intrusion prevention
system (IPS) devices or firewalls in front of their servers.
Unfortunately, such deployments can actually expose these
organizations to service outages and irate customers. When
business-critical services are not available, enterprises and
IDC operators lose money and damage important customer
relationships. What’s more, when services are unavailable
due to external attacks, it can be sensational and unwelcome
front-page news—especially when the damages could have
been easily prevented.
This white paper examines why IPS devices and firewalls
fail to stop DDoS threats. It also describes how an intelligent
DDoS mitigation system (IDMS) offers an ideal solution by
enabling a layered defense strategy to combat both volumetric
and application-layer DDoS attacks.
During the last few years, DDoS attacks have been dominated
by “volumetric” attacks usually generated by Internet bots or
compromised PCs that are grouped together in large-scale
botnets. Some examples include the DDoS attacks against
UK-based online betting sites1 where the hackers extorted
the gambling firms, and the politically motivated DDoS attacks
against the Georgian government.2 This type of DDoS attack
is generally high bandwidth and originates from a large
number of geographically distributed bots. The size of these
volumetric DDoS attacks continues to increase year over year,
and they remain a major threat to enterprises and Internet
service providers (ISPs) alike.
1 news.bbc.co.uk/2/hi/technology/4169223.stm
2 www.cnn.com/2009/TECH/08/07/russia.georgia.twitter.attack
1
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
I M PACT
$ I M PACT
I M PACT
Internet
Paid Attacker Botnet
I M PACT
Attack Traffic
Legitimate Traffic
DDoS driven by financial motivations
In addition, a new type of DDoS attack has emerged that
threatens the business viability of service provider customers.
Two days before Christmas in 2009, last-minute shoppers could
not access some of the world’s most popular Internet shopping
sites including Amazon, Expedia and Walmart. A targeted DDoS
attack against UltraDNS,3 a leading provider of domain name
system (DNS) services, took these major retail sites offline. The
attack could have dramatically affected the Christmas shopping
season and the profitability of these retailers if UltraDNS had
not been able to detect and stop the attack very quickly.
3 www.cnn.com/2009/TECH/12/24/cnet.ddos.attack/index.html
2
$
TARG ET
Load Balancer
$
Internet Data Center TARG ET
TARG ET
I M PACT
Load Balancer
This attack revealed the potential impact of DDoS on
e-commerce. More importantly, it revealed a new type of
“application-layer” DDoS attack that targets specific services
and consumes lower bandwidth. These new application-layer
DDoS attacks threaten a myriad of services ranging from Web
commerce and DNS services to email and online banking.
Enterprises and IDC operators are very concerned with the
availability of the critical services running in their data centers.
At the same time, attackers view Internet-facing data centers
as new prime targets and are launching DDoS attacks to
wreak havoc on these companies.
 Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

Peak Attack Bandwidth (Gbps)

110
2009 and Beyond 100
100
Sophisticated “application-layer” attacks target
IDC services and enterprises. A layered defense 90
is required.
80

70
Gbps
2004–2008
60
Botnets enable “volumetric” attacks against
49
infrastructure (routers, DNS, name servers). 50
In-cloud DDoS protection becomes essential. 40
40

30 24
2002–2003 20 17
Typical attack is “host-to-host.” Goal is to exhaust 10
CPU on the server (usually a Web server). 10
0.4 1.2 2.5
0
2002 2003 2004 2005 2006 2007 2008 2009 2010
Evolution of network and DDoS attacks

Attackers find Internet data centers attractive for the
following reasons:
• The shared resources and multitenant nature of IDCs allow
attackers to cause much collateral damage. In other words,
they get “more bang for the buck!”
The convergence of volumetric and application-
layer DDoS attacks poses a significant threat to
online services, and data center operators must
be prepared to combat them both.

• Many times IDCs are running high-profile, mission-critical

applications. This makes them ripe targets for extortion.
By targeting such data centers, attackers are simply
following the old saying “go where the money is.”

• Virtualization is a big part of data centers. This not only

brings benefits but also opens up a whole new set of security
challenges. For example, how do you get visibility into the
virtual environment to protect it from inter-VM (virtual
machine) attacks?

3
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

Why IPS Devices and Firewalls Can’t Stop DDoS Attacks

IPS devices, firewalls and other security
products are essential elements of a
layered-defense strategy, but they are
designed to solve security problems that
While such security products effectively address “network
integrity and confidentiality,” they fail to address a fundamental
concern regarding DDoS attacks—”network availability.” What’s
more, IPS devices and firewalls are stateful, inline solutions,
which means they are vulnerable to DDoS attacks and often
become the targets themselves.

are fundamentally different from dedicated

DDoS detection and mitigation products.
IPS devices, for example, block break-in

Y
LI T
TIA
attempts that cause data theft. Meanwhile,

IN
EN

TE
ID
a firewall acts as policy enforcer to prevent

GR
NF

IT Y
Data &
unauthorized access to data. CO
Services
Key elements of an information
security strategy
AVAILABILITY

Why Existing On-Premise Solutions Fail to Address DDoS Security

Vulnerable to DDoS Attacks

• Targets of DDoS attacks.
• First to be affected by large flood or connection attacks.

Complicated to Use
• Require skilled security experts.
• Demand knowledge of attack types before attacks.

Failure to Ensure Availability

• Built to protect against known (versus emerging) threats.
• Designed to look for threats within single sessions, not across sessions.

Protection Limited to Certain Attacks

• Address only specific application threats.
• Do not handle attacks containing valid requests.

Deployed in Wrong Location

• Very close to servers.
• Too close to protect upstream router.

Incompatible with Cloud DDoS Protection Systems

• Fail to interoperate with cloud DDoS prevention solutions.
• Increase time for response to DDoS.

4

ISP/Internet
CONGESTION
Botnet
Attack Traffic
Legitimate Traffic
IPS devices are not designed to stop DDoS attacks
IPS Devices: Part of the DDoS Problem,
Not the Solution
IPS devices are normally deployed inline behind firewalls and
must inspect every packet for signature matches. As stateful
devices, they must also track all connections. These two
requirements make IPS devices vulnerable to DDoS attacks
and increased network latency.
Let’s examine the full impact of this vulnerability in more detail.
IPS devices are deployed inline because they are designed
to prevent malware from spreading through a network.
But this inline deployment adds to the “attack surface” since
the connection tables can be overwhelmed—thus negatively
impacting performance.
IPS devices are especially susceptible to well-known
vulnerabilities including:
• Flooding: IPS devices depend on resources such as memory
and processor power to effectively capture packets, analyze
traffic and report malicious attacks. By flooding a network
with noise traffic, an attacker can cause the IPS device to
exhaust its resources.
• Fragmentation: Hackers can divide attack packets into
smaller and smaller portions that evade the IPS device.
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
Data Center
FAILURE
CONGESTION
IPS
Because IPS devices depend on signature-based detection
of known threats, they usually miss a new threat because the
signature has yet to be developed. They are always playing
catch-up to emerging threats.
Network-based IPS devices also use protocol anomaly-based
detection, which is not effective in detecting and stopping DDoS
attacks. That is because this method of detection does not allow
IPS devices to analyze traffic simultaneously across multiple
links. As a result, it prevents them from detecting and stopping
a true “distributed” DoS attack.
Lastly, because IPS devices are usually deployed inline, they
can introduce unacceptable latency in high-capacity networks.
The complex algorithms in IPS devices can significantly add
to this latency; in addition, the devices can be overwhelmed
during packet floods while performing this complicated analysis.
Such latency is unacceptable in the high-bandwidth networks
of hosting providers and large online enterprises. As a result,
IPS devices are simply not effective on very high traffic links.
5
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems
I S P/ I NTE R N ET
CONGESTION
Botnet
Attack Traffic
Legitimate Traffic
Firewalls can actually be the targets of DDoS attacks
Firewalls: Ripe Targets for DDoS Attacks
Like IPS devices, firewalls are designed to solve an important
security problem—in this case, policy enforcement to prevent
unauthorized data access. To do this job effectively, modern
firewalls perform stateful packet inspection—maintaining
records of all connections passing through the firewall. They
determine whether a packet is the start of a new connection,
part of an existing connection or invalid.
6
DATA CE NTE R
FAILURE
CONGESTION
Firewall
But as stateful and inline devices, firewalls add to the attack
surface and can be DDoS targets. They have no inherent
capability to detect or stop DDoS attacks because attack vec-
tors use open ports and protocols. As a result, firewalls are
prone to become the first victims of DDoS as their capacity to
track connections is exhausted. Because they are inline, they
can also add network latency. And because they are stateful,
they are susceptible to resource-exhausting attacks such as
Transmission Control Protocol synchronous (TCP SYN) floods
and spoofed Internet Control Message Protocol (ICMP) ping
floods. Major data center operators do not deploy firewalls in
front of services because of this, and there is just no reason to
deploy them in front of servers.
 Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

The Obvious Need for Intelligent DDoS Mitigation

Systems (IDMS)
The ideal solution is an IDMS that can stop both volumetric and application-layer DDoS
attacks. It must also be deployable in the ISP network (in cloud) and at the enterprise
or data-center edge.

Key Features of an IDMS IDMS Enables a Layered Defense Strategy

The limitations in IPS devices and firewalls reveal the key
attributes required in an IDMS solution. An IDMS must be
“stateless,” in other words, it must not track state for all con-
nections. As mentioned earlier, a stateful device is vulnerable
to DDoS and will only add to the problem. The IDMS solution
must also support various deployment configurations; most
importantly, it must allow for out-of-band deployments when
needed. This deployment flexibility can increase the scalability
of the solution, which is a requirement as the size of DDoS
attacks continues to increase.
To truly address “distributed” DoS attacks, an IDMS must be a
fully integrated solution that supports a distributed detection
method. IPS devices leveraging single segment-based
detection will miss major attacks. Moreover, an IDMS solution
must not depend on signatures created after the attack has
been unleashed on the targets; rather, it must support multiple
attack countermeasures.
IDMS provides a layered network- and edge-based solution
to combat both volumetric and application-layer DDoS
attacks. The best place to stop volumetric DDoS attacks is in
the ISP cloud (via network-based DDoS protection) because
the saturation happens upstream and can only be remediated
in the provider’s cloud. The best place to perform application-
layer DDoS detection is in the data center or the enterprise
edge because the attack can only be detected and quickly
stopped at the data center edge.
IDC operators and enterprises should get DDoS protection
from upstream providers as well as deploy DDoS protection
on premises at the IDC and enterprise edge. This ideal
architecture will stop both large “volumetric” and “targeted
application-layer” DDoS attacks. IDMS fits perfectly in this
ideal architecture.

Finally, the IDMS must provide comprehensive reporting and

be backed by a company that is a known industry expert in
Internet-based DDoS threats. The key features of IDMS are:

• Stateless
• Inline and Out-of-Band Deployment Options
• Scalable DDoS Mitigation
• Ability to Stop “Distributed” DoS Attacks
• Multiple Attack Countermeasures
• Comprehensive Reporting
• Industry Track Record and Enterprise

7
Arbor White Paper: Layered Intelligent DDoS Mitigation Systems

ISP Cleaning Large DDoS Attacks

Center

Internet Data Center

ISP Firewall

Load Balancer

Firewall

Target Applications
and Services
IDS/IPS IDS/IPS

Attack Traffic Application Layer

Legitimate Traffic Attacks

Multiple layers of defense required for comprehensive DDoS protection

Conclusion
IPS devices and firewalls are effective What is more, as stateful, inline tools, IPS devices and firewalls
are vulnerable to DDoS attacks, often becoming the targets
tools in addressing network integrity and themselves. By relying on Peakflow SP and TMS, enterprises
and IDC operators can deploy an IDMS that provides a
confidentiality. But when it comes to DDoS
layered network- and edge-based solution for combating
protection, they provide a false sense of both volumetric and application-layer DDoS attacks.

security. That is because they fail to address For more white papers visit Arbor Networks
the fundamental concern regarding DDoS Web site at www.arbornetworks.com. For
attacks—network availability. commentary and reports on the latest in
Network Security, visit Arbor’s security blog
at asert.arbornetworks.com

8
Corporate Headquarters
6 Omni Way
Chelmsford, Massachusetts 01824
Toll Free USA +1 866 212 7267
T +1 978 703 6600
F +1 978 250 1905

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS,
How Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure.
are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/IPS/EN/1012
 Arbor White Paper

DDoS Mitigation in
a BYOD Architecture
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions for enterprise and
service provider networks, including the vast majority
of the world’s Internet service providers and many of the
largest enterprise networks in use today. Arbor’s proven
network security and management solutions help grow
and protect customer networks, businesses and brands.
Through its unparalleled, privileged relationships with
worldwide service providers and global network operators,
Arbor provides unequalled insight into and perspective on
Internet security and traffic trends via the ATLAS® Active
Threat Level Analysis System. Representing a unique
collaborative effort with 230+ network operators across
the globe, ATLAS enables the sharing of real-time security,
traffic and routing information that informs numerous
business decisions.

Overview
The rapid consumer adoption of tablets,
smartphones and other mobile devices
creates a new challenge for corporate
IT departments. This phenomenon is
called “bring your own device” (BYOD).
These personally-owned devices must
now have some access to corporate
assets and resources. They must also
be secured and controlled—without the
IT department having ownership of them.
Arbor White Paper: DDoS Mitigation in a BYOD Architecture
Much has been written to help IT departments think through
the BYOD trend and plan to support it. IT departments must
consider device control, application control, enhanced security,
policy management and enforcement and application visibility.
Often, however, the primary concern is security. How do IT
organizations protect their infrastructure when they don’t own
all the mobile devices accessing the network? How can they
enforce policies based on location, time of day and other
criteria for these consumerized devices? How do they mitigate
the risk of distributed denial of service (DDoS) attacks in such
an open environment?
A team of security and mobility-focused engineers at Cisco
Systems has been working for months to build a customer-
focused architecture to test and validate a BYOD solution
for major enterprise customers. The lab architecture has been
used by Fortune 500 companies and many others to prepare
for secure deployments, and lends itself to be customized for
unique requirements. While Cisco products and technologies
comprise the infrastructure, perimeter defense and most other
elements of this architecture, there was nothing available in
the Cisco portfolio to mitigate DDoS attacks. Cisco chose
the Pravail® Availability Protection System (“Pravail APS”) and
Pravail Network Security Intelligence (“Pravail NSI”) solutions
from Arbor Networks to provide DDoS mitigation for the
BYOD architecture. This white paper provides information on
the Cisco reference architecture and deployment of Arbor’s
Pravail solutions into the environment.
1
Arbor White Paper: DDoS Mitigation in a BYOD Architecture

Challenge
As with any complex extension of the network, planning a BYOD implementation relies
on a solid infrastructure and requires a focus on additional elements.

Wireless Networking and Policy Management Mobile Device Management

Policies come in many varieties, but in a BYOD world, you
need to focus on location-based policy. Specifically, you need
a network-based policy that augments the policy applied at
the device level. Only then can you answer key questions such
as: What resources and data can mobile devices access from
different locations? How do you place limits on data access
during specific times of the day? And how do you control
data going to mobile devices both on the corporate network
and remotely?
Security
Security measures fall under three categories: integrity,
confidentiality and availability. To ensure integrity, IT must
create various trust zones using stateful firewalls to filter
unwanted traffic and allow only authorized application traffic.
Confidentiality is achieved by encrypting traffic that is passed
over public (untrusted) networks. Encrypted connections from
public networks need to be terminated on high-performance
hardware, then filtered and inspected by the firewalls and
IDS/IPS devices. Availability of resources must be ensured
during all situations by implementing Intelligent DDoS
Mitigation Systems (IDMS). The goal of DDoS attacks is to
deny the service under attack to normal users. DDoS attacks
require a different approach to defense, one of mitigation
rather than isolation. Traffic-blocking often completes the
DDoS objective by completely isolating the attacked resource
in order to protect it, thereby eliminating its availability from
those authorized users.
IT must be able to control which mobile devices access
the network and authenticate the devices properly. Various
network access control (NAC) technologies are used for this.
In a BYOD world, the solution must be successful without
installing a client on the user’s device. Policy needs to be
applied to the device, regardless of operating system or
ownership. Otherwise the device must be identified and
quarantined from the internal network.
Network and Application Visibility
IT organizations need visibility into traffic flows and application
usage and must establish traffic baselines on the internal
network in order to understand normal and atypical activity.
Data-flow patterns on a device-by-device basis let you analyze
whether a mobile device is accessing authorized data and
whether it is propagating that data to unauthorized locations.
These technologies rely on Cisco NetFlow data, as well as
deep packet inspection (DPI) by dedicated devices.

2
 Arbor White Paper: DDoS Mitigation in a BYOD Architecture

Solution
The solution to implementing a BYOD infrastructure is architectural, not based on
a single device or approach.

The architecture discussed in this paper is based on Cisco’s The diagram below shows a visual representation of the
Unified Wireless Network solution, which provides an integrated solution architecture. While Cisco products provide much
wireless network and policy management; security; mobile of the solution and infrastructure, many additional elements
device management; and network and application visibility. are needed to provide a complete solution.

BYOD Reference Network

UCS

ISE CSM CSM CUCM

MS CA/AD/ AirWatch MDM MobileIron MDM

DNS/DHCP Server

VMWare View
LMS (VDI) 4 Instances

WCCP Interception
OOOO

WLC 5508 IronPort WSA

Cat6K GW1
NAM2

MSE

MSE Pravail NSI

ASA 5510
ASA-SSM-10

Pravail APS

DMZ GW

DMZ

ScanSafe Internet Cius with

VDI/VXI

Diagram Legend
Personal
ScanSafe Protected Communicator
OOOO
CAPWAP DTLS
Mobile Clients OEAP/HREAP
AnyConnect SSL AnyConnect + NAM Jabber 600/3502/3602
7921/7925

BYOD Architecture Reference Topology

3
Arbor White Paper: DDoS Mitigation in a BYOD Architecture

Architecture Overview A Cisco Catalyst 6500 hosts the network core, providing
connectivity to all services and the data center. The Catalyst
A robust Cisco infrastructure provides the main components
can also provide direct connectivity to wired devices on the
of the reference architecture. An Internet gateway or DMZ
network, or act as an aggregation-layer switch. The Catalyst
gateway router provides the connectivity to the public Internet.
switch segments the network into VLANs, provides Layer
Cisco Adaptive Security Appliances (ASA) provide stateful
3-switching between VLANs if necessary and acts as a
firewall and IPS/IDS functionality and terminate all VPN
NetFlow source for collectors on the LAN.
traffic (either IPSEC or SSL VPN).
The consumerized devices access the network either through
Firewalls and IPS/IDS devices have built-in resilience to
the public Internet or the Unified Wireless Network infrastruc-
prevent denial of service (DOS) attacks by tracking and
ture described in the next section of this document. A third-party
blocking atypical connection requests from remote hosts.
mobile device manager (MDM) is used to register and control
Distributed denial of service (DDoS) attacks, however, present
devices allowed onto the corporate network. Specifics on the
a new vector that these stateful devices were never designed
MDM are outside the scope of this document.
to combat. DDoS attacks can come from many legitimate
sources and may contain normal looking traffic, thus evading The specific areas of focus in the architecture—wireless network-
the DoS prevention capabilities of the firewalls and IPS/IPS ing, security, mobile device management and traffic visibility—are
devices. Because the hosts generating DDoS open many described in the following sections of this document.
legitimate connections through the network, they can easily
overwhelm the state table of even the most robust stateful
defenses. A device specifically designed to deal with these
types of threats is required to protect the rest of the network.
Arbor’s Pravail APS appliance provides DDoS mitigation to
protect the Cisco ASA and other resources.

ISE
SSID Internal SSID Internal Radius Profiler
Guest Portal
Data/Voice Guest
Broadcast Broadcast
PEAP/EAP-FAST/EAP-TLS PEAP/EAP-FAST/EAP-TLS NDAP
l
WP A2-AES WP A2-A5 rta
Phones Qos = Platinum Phones QoS = Platinum Po MS CA/AD/
t

DNS/DHCP Server
es

RADIUS

Other = Silver Other = Silver

DHCP
Gu

VLAN 10 Internal
CP
DH

VLAN 40 Wireless (Data)

VLAN 50 Wireless (Voice)
VLAN 60 Wireless (Guest)
Internet Cisco DMZ
OOOO CapWAP DTLS Tunnel OOOO

DMZ GW Corp-Firewall (ASA) ASA WLC SN M Router NAM2

Lab Firewall P
SSL VPN Termination
NMSP

IPS

SECMOB SECMOB-Guest
Data/Voice Guest
SNMP
MSE
MSE NICS
Clean-Air OEAP/Clean-Air
Adaptive wPS Management

Unified Wireless Overview

4

Wireless Networking and Policy Management:
Cisco Unified Wireless Network Solution
Cisco’s Unified Wireless Network solution provides the basis
of the wireless infrastructure. Based on a combination of Cisco’s
Wireless LAN Controllers, Mobility and Identity Services Engines,
the integrated solution provides a controlled infrastructure to
service wireless clients, like those used for BYOD.
Through Cisco’s OfficeExtend Access Point (OEAP), the
Unified Wireless Network solution provides a virtual zero-touch
deployment for remote access points to connect back to a
preconfigured wireless controller. This is standard for the Cisco
Aironet 600 Series Access Points, but the Cisco Aironet 3500
Series can operate in either OEAP or Hybrid Remote Edge
Access Point (H-REAP) configurations.
Specifically, in this architecture, OEAP is used based on 4
VLANs: internal (management), wireless data, wireless voice
and wireless guest.
Cisco Mobility Services Engine
Arbor White Paper: DDoS Mitigation in a BYOD Architecture
Cisco CleanAir technology intelligently monitors the 802.11n
wireless network for interference and degradation. It uses a
combination of access points, wireless LAN controllers and
intelligent management to constantly monitor the network
for interference, rogue access points and security breaches.
Cisco CleanAir technology offers a scalable, system-wide
approach based on custom ASICs to control the wireless
spectrum in real time.
The Cisco Mobility Services Engine (MSE) provides the ability
to track the physical location of network devices using wireless
LAN controllers (WLCs) and Cisco Aironet Lightweight Access
Points (LAPs). The MSE solution allows a customer to track
any Wi-Fi device, including clients, active RFID tags, and rogue
clients and access points (APs). You can import the floor plan
of the facility to provide visual location information for location
services, which allows you to implement policies based on the
physical location of the device. For instance, a device may be
allowed access to a specific corporate resource if the device
is in a conference room, but not if it’s in a public area.
5
Arbor White Paper: DDoS Mitigation in a BYOD Architecture

Wireless security is essential to protecting access and traffic
passing over the wireless network. OEAP or H-REAP provides
control and ensures that the data passing over the wireless
media is encrypted. Access with either of these technologies
is controlled through a Wireless LAN Controller (WLC) policy.
Each end station is identified by MAC address and Message
Integrity Check (MIC) values. Corporate resources also
have a digital certificate associated with them for EAP=TLS
authentication, except for the voice resources that cannot
use this technology. Encryption on the WLAN is WPA2-AES
at a minimum, with hardware accelerated in the Access
Points. These Access Points perform adaptive IPS in
Enhanced Local Mode, which allows wireless IPS without
an overlay infrastructure.
The Cisco Identity Services Engine (ISE) is implemented
to enhance security and establish policy based on identity.
Additionally, it can help with compliance with Sarbanes-Oxley,
HIPAA and other regulatory requirements by tracking and
controlling resource access based on the user and device
identity credentials. The Cisco ISE allows the network manager
or administrator to integrate device and user policy decisions
with Active Directory (AD) or other login credentials and with
the 802.1x infrastructure of the wired or wireless network.
The Cisco ISE allows a corporate client, which can authenti-
cate with normal AD credentials and a corporate digital
certificate (EAP-TLS), to access Internal and Wireless Data
VLANs and have access to normal corporate resources.
A corporate IP phone using AD credentials will have access
to the Wireless Voice VLAN and Platinum Quality of Service
(QOS) on the LAN to protect the voice traffic. A BYOD device
logging in with AD username and password (using PEAP
MSCHAPv2) will be connected to the network but have only
limited access on the GUEST VLAN. A guest or sponsored
guest will also be connected to the guest VLAN with only
Internet access. Sponsored-guest access is provided to invited
guests and partners. This allows the system to identify the
guest device while limiting its access purely to the Internet
and protecting internal resources.

ISE

EAP Authentication 1

Accept with VLAN 50 (Voice) and QoS Platinum 2 4 Accept with VLAN 40

Corporate Owned
VLAN 50
SSID: Internal OOOO OOOO
VLAN 40
802.1 Q Trunk

Corporate 7925
3 EAP Authentication

Cisco Identity Services Engine Traffic Flow

6

Guest Access Configuration and
Certificate Authority Configuration
Security Details
In the sample architecture, Microsoft Active Directory Certificate
Authority was deployed on Windows 2008. To support the
Simple Certificate Enrollment Protocol, an additional role service
of Network Device Enrollment Service was installed. Certificate
templates were created and an elevated security posture was
utilized for authentication when requesting the certificate to
provide central management of all certificates.
The centralized Certificate Authority provides a Public Key
Infrastructure (PKI) authentication system. PKI is a more
dynamic and secure key-sharing approach than pre-shared
keys or other methodologies, while being fairly straightforward
to implement and manage.
Arbor White Paper: DDoS Mitigation in a BYOD Architecture
In the reference architecture, remote access using distinct SSL
termination groups and URLs was created. This allowed each
group to hit a unique URL and authenticate appropriately. An
admin group was created for administering the environment.
Local users and a local address pool were used for this to
tightly control access. A general VPN group was created and
tied to AD credentials. A central DHCP pool was used for this
group. All users must be in the AD to login. A certificate group
ties the AD credentials to the certificate authority to issue the
digital certificates. Users must authenticate to the AD and be
part of the certificate group to qualify. Another group could be
created for smartcard users. This group would authenticate the
user based on information stored on a smartcard.
7
Arbor White Paper: DDoS Mitigation in a BYOD Architecture

Content security is provided by a combi-

nation of devices. The Cisco IronPort Web
Security Appliance (WSA) combined with
the Cisco Adaptive Security Appliance
(ASA) provides part of this solution. The
WSA deployed in a WCCP configuration
can evaluate all HTTP content on the
network. The ASA provides traditional
firewall and VPN termination services.
The WSA and ASA can communicate to
identify VPN-terminated users. Multiple
identity groups are created on the WSA
to enforce different policies.

AnyConnect Mobility Client Configuration Settings

IronPort WSA Screen

8

Another element of content security is performed by adding
the Pravail Network Security Intelligence (“Pravail NSI”) solution
from Arbor Networks. The Pravail NSI appliance uses NetFlow
and SNMP feeds to identify traffic flows and conversations on
the LAN. Pravail NSI can identify instances of network misuse,
abuse and overall violations based on behavioral analysis of
traffic flows. It provides detailed forensics of historical traffic
on the LAN, real-time alerting of threats and easy comparison
of baseline values versus real-time traffic. Pravail NSI features
username mapping to IP addresses through integration into
the Active Directory infrastructure, DHCP and RADIUS.
The Cisco ISE plays a security role in the architecture as well
by providing identity and access management and Unified Policy
Management. The Cisco ISE authenticates 802.1x wired and
wireless clients via a supplicant. Devices that cannot authenti-
cate via a supplicant should be added via MAC authentication
bypass. The ISE was configured to support Web authentication
for guests and contractors while providing specific policy-based
access for iPads and iPhones.
Cisco ISE Web Authentication Configuration Screen
Arbor White Paper: DDoS Mitigation in a BYOD Architecture
Traditional perimeter security devices such as firewall and IPS
devices are essential elements of a layered-defense strategy,
but are not designed to solve the DDoS problem. Firewalls
enforce policies that govern access to data-center resources,
and IPS devices block malware that can infect end systems or
exploit known vulnerabilities. DDoS attacks consist of legitimate
traffic from multiple sources crafted to exhaust critical resources,
such as link capacity, session capacity, application service capac-
ity (e.g., HTTP(S), DNS) or back-end databases. Because such
traffic is authorized and does not contain the signature content
of known malware, it is not stopped by firewall and IPS devices.
In fact, firewall and IPS devices are frequent victims of DDoS
attacks. As inline, stateful inspection devices, they are subject
to many of the vulnerabilities that DDoS attacks seek to exploit.
Low bandwidth attacks that are effective in bringing down
data-center applications generally “fly under the radar” of most
provider-based, in-cloud DDoS solutions. However, DDoS also
consists of bandwidth-consuming flood attacks that saturate
Internet links to the data center. These flood attacks can only
be mitigated within the provider network. Enterprises need a
comprehensive DDoS solution with both provider-based and
on-premise protection.
9
Arbor White Paper: DDoS Mitigation in a BYOD Architecture
Cat6K GW1 NAM2 ASA Pravail APS DMZ GW
Pravail APS Deployment Topology
Arbor’s Pravail APS solution logically sits between the router
and firewall in the network, protecting the firewall, associated
IPS/IDS devices and all internal resources from application-
based DDoS attacks. Pravail APS is designed specifically to
protect business continuity and availability from the growing
constellation of application-level threats. It provides the world’s
most advanced and sophisticated attack detection and mitigation
technology in an easy-to-deploy appliance that automatically
neutralizes attacks before they impact critical services.
Pravail APS provides DDoS protection “out of the box” with a
default protection group for the most common DDoS attacks
encountered. The default protection group re-defines server
types, common attacks and mitigations for those attacks. The
appliance can be installed initially in an inactive mode if desired
to collect data and provide a network baseline. One of the key
concepts in Pravail APS is the idea of availability.
Pravail APS Protection Groups
10
DMZ
The goal is to ensure that protected resources remain available,
rather than ensuring that all unwanted traffic is blocked. Blocking
all unwanted traffic can have the unintended consequence of
making resources unavailable, making the denial of service
attack actually more effective.
Switching Pravail APS to active mode with the default protec-
tion group provides protection from many common attacks
against generic servers, Web servers, email servers and DNS
resources. Custom protection groups can be created to provide
more surgical levels of protection for different resources based
on actual use. For the sample architecture, protection groups
for SSL VPN termination, the Wireless LAN Controller and
mobile device management were created to augment the
default protection group. These are all key elements of the
infrastructure and require custom protection rules.

Pravail APS must have access to Arbor’s ATLAS® Intelligence
Feed (AIF) for updates. AIF provides real-time access to the
latest fingerprints for attacks identified on a global basis. Arbor
enjoys a close and privileged relationship with leading service
providers and cloud operators around the world. Through
its extensive network of sensors and data feeds, Arbor has
real-time visibility into 39 Tbps (peak) of global Internet traffic.
This gives Arbor unmatched insight into emerging threats—
information used by the Arbor Security Engineering &
Response Team (ASERT) to develop defenses to new and
emerging threats. AIF is an update service that automatically
provisions Pravail APS appliances with the latest defenses
to new threats and updates IP location data—all in real time.
Enabling AIF Updates in Pravail APS
Arbor White Paper: DDoS Mitigation in a BYOD Architecture
An additional configuration option is to enable Cloud Signaling™
functionality on the Pravail APS appliance. This allows Pravail
APS to dynamically interact with Arbor’s Peakflow® products in
the service provider (SP) cloud. Since Pravail APS is a customer
premises equipment (CPE) appliance, its mitigation capacity is
metered by the amount of bandwidth coming into the data center
where it is deployed. Attacks that exceed this bandwidth need
to be mitigated further upstream in the cloud. Cloud Signaling
functionality notifies the carrier to begin attack mitigation in the
cloud in the case of volumetric attacks from external sources.
11
Arbor White Paper: DDoS Mitigation in a BYOD Architecture

Mobile Device Management The Pravail NSI Application Intelligence (AI) collector
extends network awareness to the application layer, enabling
MDM includes Over The Air (OTA) provisioning of policy for
organizations to know who is accessing what applications,
deployment into the infrastructure. In the reference architec-
if applications or users are infected with viruses or hosting
ture, one of the companies provided employees with a stipend
bots or if an application is under attack. Through deep packet
to purchase any mobile device of their choosing. Upon device
inspection (DPI), the AI collector also gives organizations
acquisition, the employees are given instructions to log in
information about applications and users that is critical to
to the MDM portal with their AD credentials or one-time
demonstrating regulatory compliance.
passwords. Upon login to the MDM portal, the appropriate
wireless and VPN policies are provisioned to the device. The analysis capabilities in the Pravail NSI appliance are
The device is now ready for joining the corporate network. provided by the Arbor Security Engineering & Response Team
(ASERT) via the Active Threat Feed (ATF) service. ASERT
Neither Cisco nor Arbor Networks has an MDM product
monitors threats via the ATLAS® network and creates attack
offering. Third-party products—specifically, the MobileIron
fingerprints that can be used to identify malicious activity in
Sentry Appliance and VSP Appliance—were used in the
the data collected from the Pravail NSI solution.
sample architecture to manage the mobile devices. An
in-depth discussion of the MobileIron products is outside Pravail NSI logically sits on the internal network, behind
the scope of this document. all firewalls. Using NetFlow and SNMP data, it collects and
analyzes all traffic across the network. Pravail NSI also has
Network and Application Visibility a default services setting that monitors most common network
services. In addition, it features a series of reporting templates
Enhancing traffic visibility starts with the activation of NetFlow
designed to allow the network administrator to quickly see
across all devices in the infrastructure. NetFlow provides
and understand network activity. These built-in reports can be
flow-based data to collectors for analysis to determine policy
customized, scheduled to run on a regular basis, and exported
compliance, security posture and other details. The Cisco
to PDF and Microsoft Excel formats.
Network Analysis Module (NAM) is deployed in the Catalyst
infrastructure in the core to provide visibility into traffic flows.

The Pravail NSI solution collects and analyzes IP flow data,

providing organizations with enterprise-wide awareness of
activities occurring in the corporate network. This includes
misuse of corporate resources, communication with botnets or
DDoS command-and-control servers, or other malicious activity
that could put the network at risk. Additionally, identity tracking
allows the organization to see what devices are accessing the
network and what activities they are engaging in.

12

As an example, the standard interface report available in the
Pravail NSI UI provides a “Top Services” table indicating the top
network services being utilized. This report can identify if services
other than those planned and authorized on the network are
active. Services such as unauthorized peer-to-peer applications,
BitTorrent servers and botnet command-and-control servers can
be found by using this report.
Pravail NSI Top Services Table
Pravail NSI Top Connections Table
Arbor White Paper: DDoS Mitigation in a BYOD Architecture
In the same report, the “Top Connections” table identifies which
hosts are receiving the highest number of connection requests
and what protocol is used for the requests. In the example, note
that even with a proxy server, the protocol information is still valid
and useful. Again, this is an excellent report for identifying unau-
thorized hosts on the network, as well as hosts providing visibility
into unauthorized services.
13
Arbor White Paper: DDoS Mitigation in a BYOD Architecture

The “Alert Summary” report shows alerts from the system of The “Entity Information” report is built on demand for
rule violations. This report can be customized for specific time specific network devices or segments. This report is valuable
periods. Note that, though the reference architecture is in a lab in identifying devices that are violating policy or running
environment, it still may be targeted by external attackers and unwanted services.
is susceptible to insider misuse. In this case, traffic is being
exchanged between a host on the network and the embargoed
nation of Syria. An IP location database is built into the Pravail
solution and used for location identification. In a lab setting,
traffic from the black IP usage block is expected, as these are
non-routable IP addresses normally used in internal networks.

Pravail NSI Alert Summary/Traffic Origin Report

Pravail NSI Entity Information Report

14

Conclusion
Building a BYOD environment presents
many challenges—such as extending
policy to new mobile devices based
on device type, location and ownership.
Using a robust Cisco-based infrastructure
provides organizations with many of the
tools needed to control device access
and provide locations services.
Arbor White Paper: DDoS Mitigation in a BYOD Architecture
Arbor Networks’ Pravail product line, including Pravail APS and
Pravail NSI, augments the capabilities of the Cisco infrastructure
to provide a complete solution for the BYOD challenge. Pravail
APS protects the firewall and internal resources from DDoS
attacks that can exhaust state tables and take the infrastructure
down. Pravail NSI monitors the internal network, identifies inter-
nal attacks and bots on internal devices, and helps prevent data
leakage to unauthorized destinations.
Together, Pravail APS and Pravail NSI complement the Cisco
infrastructure to provide an integrated BYOD solution ensuring
security and availability.
15
Arbor White Paper: DDoS Mitigation in a BYOD Architecture
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/BYOD/EN/1212
 Arbor White Paper

Keeping the Lights On

The Importance of DDoS Defense in Business
Continuity Planning
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions for enterprise and
service provider networks, including the vast majority
of the world’s Internet service providers and many of the
largest enterprise networks in use today. Arbor’s proven
network security and management solutions help grow
and protect customer networks, businesses and brands.
Through its unparalleled, privileged relationships with
worldwide service providers and global network
operators, Arbor provides unequalled insight into and
perspective on Internet security and traffic trends via
the ATLAS® Active Threat Level Analysis System.
Representing a unique collaborative effort with 250+
network operators across the globe, ATLAS enables
the sharing of real-time security, traffic and routing
information that informs numerous business decisions.
 Arbor White Paper: Keeping the Lights On

Table of Contents
Business Continuity Planning Priorities and Operational Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Actionable Security Practices are Critical to Business Continuity Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

DDoS Attacks: Background and Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

DDoS Attacks as an Element of Operational Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Traditional Security Solutions Do Not Mitigate the Operational Risk of DDoS Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Arbor Solutions Help Mitigate the Operational Risk of DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1
Arbor White Paper: Keeping the Lights On
Business Continuity Planning Priorities
and Operational Security
Today’s enterprises are increasingly
motivated to formalize IT security and place
it firmly within the context of enterprise
risk management and business continuity
planning. Current financial realities require
that companies incorporate IT security into
their operational and financial planning to
control escalating costs. At the same time,
they must provide adequate resources to
address their financially, regulatory and
reputation-driven security priorities and
incorporate all pertinent risk factors into
their organizational security model.
2
The abstract nature of risk management and business
continuity planning can often make these processes daunting
to planners and IT security professionals alike. In most cases,
business continuity plans include detailed policies and proce-
dures for keeping operations running in the wake of natural
disasters such as fire, floods and earthquakes. But rarely do
they incorporate contingencies for IT security incidents. This
is a major oversight. Security incidents often have a negative
impact on business operations—resulting in significant
operational expenditure (opex) costs, lost revenues, customer
satisfaction challenges and an erosion in brand reputation.
As a result, IT security issues constitute significant business
risks, which place them squarely within the realm of business
continuity planning and disaster recovery.
The most important aspect of enterprise security—availability—
is the most easily understood and quantifiable aspect of security
today. This means that organizations can readily establish the
economic and reputational necessity of maintaining availability
in the face of attack—and the costs of failing to do so.
When measuring the risk to the availability
or resiliency of services, where does the
risk of availability attacks fall on the list?
Availability Scorecard
Site Selection
Physical Security
Fire Protection and Detection
Electrical and Power
Environment and Weather
DDoS Attacks?
Figure 1: Availability Scorecard
 Arbor White Paper: Keeping the Lights On

Actionable Security Practices are Critical to Business

Continuity Planning
Enterprise risk management is a critical component of business continuity planning.
Several ISO standards (such as ISO 27005 and ISO 31000) are related to IT risk
assessment—as are other, less formalized standards such as COSO1 and OCTAVE.2
While these various processes generate lots of paperwork, they unfortunately
produce very little in the way of actionable security practices.

Although a top-down model is the usual methodology for The Impact of Loss of Service Availability Goes Beyond Financials
risk assessment, you can begin with a bottom-up threat
assessment to generate actionable security practices. By using Operations How many IT personnel will be tied up
addressing the attack?
those practices as inputs into the various IT risk assessment
standards, you can derive useful enterprise risk management Help Desk How many more help desk calls will be
inputs for business continuity planning. received, and at what cost per call?

Availability protections are the most important IT security Recovery How much manual work will need to be
practices to implement—and also the most quantifiable. It is done to re-enter transactions?
relatively easy to calculate the cost of downtime for e-com- Lost Worker Output How much employee output will be lost?
merce sites, customer support applications, content delivery
systems, brick-and-mortar online reference sites, etc. Penalties How much will have to be paid in
service level agreement (SLA) credits
Much of this information may already be available from often or other penalties?
siloed high-availability studies/efforts related to existing
business continuity planning efforts. Lost Business How much will the ability to attract new
customers be affected? What is the full
value of those lost customers?

Brand and Reputation What is the cost to the company brand

Damage and reputation?

Figure 2: The Impact of Loss of Service Availability Goes Beyond Financials

1 Model for assessing internal control systems developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission
2 Operationally Critical Threat, Assess and Vulnerability Evaluation (OCTAVE) methodology

3
Arbor White Paper: Keeping the Lights On

DDoS Attacks: Background and Context

Distributed denial-of-service (DDoS)
attacks are attempts to consume finite
resources, exploit weaknesses in software
design or implementation, or exploit
lack of infrastructure capacity.
DDoS attacks target the availability and utility of computing
and network resources; if a DDoS attack against a Web server,
DNS server, email server, application server or other online
property is successful, the availability of the target of the
attack is negatively impacted.
DDoS attacks are typically launched by botnets, which are
collections of compromised computers utilized by attackers
without the knowledge of their legitimate owners. Hundreds of
millions of botted computers are on the Internet and enterprise
networks today. They represent a major threat to organizations
with an online presence due to the near-infinite computing
power and bandwidth available to attackers who leverage
botnets to launch DDoS attacks.

Application-Layer DDoS Impact

ISP 1 Internet Data Center

EXHAUSTION
OF SERVICE

Local I S P

ISP 2

SATURATION
Firewall IPS
Load Balancer

ISP n
Target Applications
Volumetric and Services
DDoS Impact

Attack Traffic
Legitimate Traffic

Figure 3: DDoS Attacks are a Multi-Vector, Diverse Threat

4

DDoS Attacks as an Element of Operational Risk
An operational risk is one that arises from
the execution of an organization’s normal
functions. Internet presence—whether for
e-commerce, customer support, content
delivery, marketing, et al—is a normal
function for all types of organizations.
The Basel II Accords issued by the Basel
Committee on Banking Supervision have
become widely accepted throughout the
financial industry and beyond as canonical
references for defining operational risk.
Traditional Security Solutions Do Not Mitigate
the Operational Risk of DDoS Attacks
Contrary to popular belief, traditional secu-
rity solutions such as firewalls and intrusion
prevention systems (IPS) do not provide a
DDoS mitigation capability. These devices
are focused on maintaining confidentiality
and integrity of organizational systems
and, by their very nature, do not provide
availability protection.
Arbor White Paper: Keeping the Lights On
The Basel II financial industry guidance for enterprise risk
management defines operational risk to organizations as
“The risk of loss from inadequate or failed internal processes,
people, and systems, or from external events (page 94,
www.bis.org/publ/bcbsca03.pdf).” Security threats, especially
threats to availability, are external events that can have a
negative impact in terms of financial, legal/regulatory, and/or
brand reputation. As a result, organizations should incorporate
security threats into enterprise risk management considera-
tions, which form the basis for business continuity planning.
In essence, DDoS attacks are “external events” as defined
in Basel II; they can be thought of as man-made disasters.
The threat to availability represented by DDoS attacks cannot
be overstated. No business continuity plan is complete without
taking into account the need to maintain the availability of criti-
cal online properties, even in the face of a concerted attack.
Companies can successfully detect, classify, trace back and
mitigate DDoS attacks with appropriate operational best
practices and dedicated anti-DDoS solutions. Any enterprise
risk management model and business continuity plan must
account for DDoS attacks.
In fact, the stateful nature of these devices means that
they often contribute to the impact of DDoS attacks because
even relatively small attacks can readily overflow their state
tables. Load-balancers and web application firewalls (WAFs)
are also stateful devices, and suffer from the same vulnerability
to state-table overflow as stateful firewalls and IPS.
If these devices are present on public-facing networks,
they must be protected against DDoS attacks, along with
the hosts, applications and data that they are intended to
protect and scale.
5
Arbor White Paper: Keeping the Lights On

Arbor Solutions Help Mitigate the Operational Risk

of DDoS Attacks
Basel II defines four strategies for mitigating operational risk: Avoid, Retain, Reduce and
Transfer. Avoidance simply isn’t possible in today’s globally-interconnected, online world.
Most organizations must maintain an online presence solely for marketing and customer
support purposes. Now that e-commerce systems and online supply-chains are critical assets
for organizations of all sizes, the risk represented by DDoS attacks cannot be simply avoided.

Retaining the risk, or simply absorbing DDoS attacks and their
negative impact on availability, is not a viable strategy due to the
overwhelming resources controlled by determined attackers. In
an era of 100 Gigibit/sec-plus DDoS attacks (see the
recent Worldwide Infrastructure Security Reports from Arbor
Networks), attackers can potentially overwhelm any organization.
Therefore, more proactive measures are required.
Risk transfer is also a viable strategy for mitigating the
operational risk of DDoS attacks. Arbor’s cloud-based DDoS
detection, classification and mitigation solutions help transfer
risk from targeted organizations to managed security service
providers (MSSPs) who specialize in DDoS attack mitigation
within the MSSP network “cloud.” Arbor’s cloud-based solutions
can also work in conjunction with its on-premise solutions.

Helping to reduce the operational risk of DDoS attacks is
enabled by the on-premise DDoS attack detection, classification
and mitigation solutions of Arbor Networks. Risk reduction is the
single most important strategy for mitigating the operational risk
represented by DDoS attacks. It should be a key part of business
continuity planning for maintaining availability in the face of
determined DDoS attacks.
Organizations can link together Arbor’s on-premise and
cloud-based DDoS defenses via Cloud Signaling™ functionality.
This forms a comprehensive system that can respond quickly
and precisely to sophisticated application-layer attacks, while
simultaneously mitigating volumetric attacks that consume
last-mile transit link bandwidth.

In-Cloud DDoS Protection

Scrubbing Center

Peakflow SP TMS Cloud Signaling

Cloud Internet Data Center

ISP 1
Signaling

Local I S P

ISP 2

Firewall IPS
Load Balancer

ISP n Pravail APS

Target Applications
CPE-Based and Services
DDoS Protection
Attack Traffic
A k T ff Traffic
Legitimate
Figure 4: Arbor Solutions Provide Comprehensive DDoS Protection

6

Conclusion
No enterprise risk assessment and
business continuity plan is complete
without taking into account the operational
risk represented by DDoS attacks intended
to have a negative effect on the availability
of key online services.
Arbor White Paper: Keeping the Lights On
Premise- and cloud-based availability protection solutions
from Arbor Networks enable organizations to successfully
mitigate the operational risk represented by DDoS attacks.
The design, deployment and operation of such solutions
are key to ensuring that business continuity planning takes
into account the “man-made disaster” of DDoS attacks,
and helping to ensure that the availability of mission-critical
public-facing properties is protected even in the face of
determined DDoS attacks.
7
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How
Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all
trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

WP/BUSCONT/EN/0213
 50 Years of Growth, Innovation and Leadership

Why Anti-DDoS Products and Services are Critical

for Today’s Business Environment
Protecting Against Modern DDoS Threats

A Frost & Sullivan

White Paper

www.frost.com
Frost & Sullivan

Executive Summary................................................................................................................ 3

Introduction............................................................................................................................. 4

What is DDoS?........................................................................................................................ 4

Volumetric Attacks................................................................................................................. 5

TCP State-Exhaustion Attacks............................................................................................. 6

Application-Layer Attacks.................................................................................................... 6

The Growing DDoS Problem................................................................................................. 7

Broader Spread of Attack Motivations and Targets............................................................ 8

Volunteer Botnets.................................................................................................................. 9

Increased Impact on Organizations..................................................................................... 9

Complex Threats Need a Full-Spectrum Solution.............................................................. 9

Integrity and Confidentiality vs. Availability....................................................................... 9

Protect Your Business from the DDoS Threat...................................................................... 10

Cloud-Based DDoS Protection............................................................................................. 10

Perimeter-Based DDoS Protection...................................................................................... 10

Out-of-the-Box Protection................................................................................................... 10

Advanced DDoS Blocking..................................................................................................... 11

Botnet Threat Mitigation...................................................................................................... 11

Cloud Signaling...................................................................................................................... 11

The Final Word........................................................................................................................ 11

CONTENTS
 Why Anti-DDoS Products and Services are Critical for Today’s Business Environment

EXECUTIVE SUMMARY

The perception of distributed denial of service (DDoS) attacks has changed dramatically in the
past 24 months. A series of successful, high-profile attacks against enterprises, institutions and
governments around the world has driven home the importance of availability and the need
for layered defenses. These attacks have also driven home how quickly the pace of innovation
has accelerated on the side of the hackers.

In today’s environment, any enterprise operating online—which means just about any type
and size of organization—can become a target because of who they are, what they sell, who
they partner with or for any other real or perceived affiliations. The widespread availability
of inexpensive attack tools enables anyone to carry out DDoS attacks. This has profound
implications for the threat landscape, risk profile, network architecture and security
deployments of Internet operators and Internet-connected enterprises.

The methods hackers use to carry out DDoS attacks have evolved from the traditional high-
bandwidth/volumetric attacks to more stealthy application-layer attacks, with a combination of
both being used in some cases.Whether used for the sole purpose of shutting down a network,
or as a means of distraction to obtain sensitive data, DDoS attacks continue to become more
complex and sophisticated. While some DDoS attacks have reached levels of 100Gbps, low-
bandwidth application-layer attacks have become more prominent as attackers exploit the
difficulties in detecting these “low-and-slow” attacks before they impact services.The methods
botnets use to carry out these attacks have also shifted. Botnets used to be made up of
comprised PCs, unwitting participants controlled by a botmaster. In the age of the hacktivist,
people are opting-in to botnets and even renting botnets for the purpose of launching attacks.

Network administrators are finding that traditional security products, such as Firewalls and
Intrusion Prevention Systems (IPS), are not designed for today’s complex DDoS threat. These
products focus on the integrity and confidentiality of a network. However, DDoS targets the
availability of the network and services it provides.

In today’s complex and rapidly changing threat landscape, enterprises need to take control
of their DDoS risk mitigation strategy by proactively architecting a layered defense strategy
that addresses availability threats. The issue of availability is taken into account as part of risk
planning for site selection, power failures and natural disasters. Given today’s threat landscape,
DDoS planning should now be part of any enterprise risk mitigation strategy.

Arbor Networks’ Pravail Availability Protection System (APS) is the first security product
focused on securing the network perimeter from threats against availability—specifically,
protection against application-layer DDoS attacks. Purpose-built for the enterprise, it delivers
out-of-the-box, proven DDoS attack identification and mitigation capabilities that can be
rapidly deployed with little configuration, even during an attack.

Frost.com 3
Frost & Sullivan

An added benefit for customers is Arbor’s unique visibility into DDoS botnets because of
its ATLAS infrastructure, which combines a darknet sensor network with traffic data from
more than 100 service provider customers around the world. The ATLAS Intelligence Feed
delivers DDoS signatures in real time to keep the enterprise data center edge protected
against hundreds of botnet-fueled DDoS attack toolsets and their variants.

Overall, the Arbor Pravail APS provides what other perimeter-based security devices cannot,
and that is the ability to detect and mitigate DDoS attacks proactively.

INTRODUCTION

Black Friday brings to mind the vision of hundreds of shoppers lined up at stores, ready to
pounce on deals and do business. A more recent holiday shopping addition—Cyber Monday—
brings to mind a different vision of a global audience armed with a computer and Web browser,
clicking away at the best deals at their favorite online retailer. While these two visions may
seem very different, the need to enable customers to make purchases is critically important.

The concept of business continuity is not new. Organizations have worked on business
continuity planning for a long time. Unfortunately, in today’s always-on environment, the
challenge of business continuity is greater than ever before. Consider the ease with which
criminals can conduct a crippling attack on an organization. With attackers having the ability to
generate significant amounts of traffic from the botnets they control, and sophisticated attack
tools at their disposal, even an organization with a high-capacity Internet connection can have
its Internet services, and business, disrupted.

This paper will look at DDoS attacks in detail. It will illustrate the attack vectors being used and
describe why the threat to organizations is greater than ever before.This paper will then detail
why traditional firewall and IPS solutions fall short in protecting organizations against today’s
sophisticated DDoS attacks. Finally, this paper will present the Arbor solution—a complete,
purpose-built solution that Frost & Sullivan believes can provide protection against the wide
range of DDoS attacks that can target the corporate data center.

WHAT IS DDOS?

A DDoS attack is simply an attempt by an attacker to exhaust the resources available to a

network, application or service such that genuine users cannot gain access. It is an attack
formulated by a group of malware-infected or volunteered client computers that attempt
to overwhelm a given network, site or service with their combined actions. However, not all
DDoS attacks operate in the same way. DDoS attacks come in many different forms. These
forms include flood attacks, which rely on high volumes of traffic/sessions to overwhelm a
target, e.g., TCP SYN, ICMP and UDP floods, and more sophisticated application-layer attack
vectors/tools, such as Slowloris, KillApache, etc.

4 Frost.com
 Why Anti-DDoS Products and Services are Critical for Today’s Business Environment

DDoS attacks can be classified as volumetric attacks, TCP State-Exhaustion attacks or

application-layer attacks. In Kapersky’s DDoS attacks in Q2 2011 report, HTTP flooding
was the most common DDoS vector, which is an example of an application-layer attack.1
The dominance of application-layer attacks illustrates the rapid evolution of DDoS away from
traditional volumetric attacks.

Attacked Vectors¹

5.4%  HTTP Flood

88% 2.6%  SYN Flood
1.7%  UDP Flood
 ICMP Flood
1.2%
 TCP Data Flood
0.2%  DDoS on DNS

Volumetric Attacks
Volumetric attacks flood a network with massive amounts of traffic that saturate and consume a
network’s bandwidth and infrastructure. Once the traffic exceeds the capabilities of a network,
or its connectivity to the rest of the Internet, the network becomes inaccessible, as shown in
Figure 1. Examples of volumetric attacks include ICMP, Fragment and UDP floods.

1
http://www.securelist.com/en/analysis/204792189/DDoS_attacks_in_Q2_2011

Frost.com 5
Frost & Sullivan

Volumetric Attacks

Regular
Traffic

Malicious ISP
Traffic 1

Malicious
Traffic
Target Applications
and Services

Malicious
Traffic Router
ISP
Saturation Firewall
2
Malicious
Traffic

Regular
Traffic

Regular ISP
Traffic 3

Malicious
Traffic

TCP State-Exhaustion Attacks

TCP State-Exhaustion attacks attempt to consume the connection state tables that are present
in many infrastructure components, such as load balancers, firewalls and the application servers
themselves. For instance, firewalls must analyze every packet to determine whether the packet
is a discrete connection, the continuation of an existing connection, or the completion of an
existing connection. Similarly, an intrusion prevention system must track state to carry out
signature-based detection of packets and stateful protocol analysis. These and other stateful
devices—including load balancers—are frequently compromised by large session flood or
connection attacks.

The Sockstress attack, for example, can quickly overwhelm a firewall’s state table by opening
sockets to fill the connection table.

Application-Layer Attacks
Application-layer attacks use far more sophisticated mechanisms to achieve the goals of the
hacker. Rather than flooding a network with traffic or sessions, application-layer attacks target
specific applications/services and slowly exhaust resources at the application layer. Application-
layer attacks can be very effective at low traffic rates, and the traffic involved in the attacks

6 Frost.com
 Why Anti-DDoS Products and Services are Critical for Today’s Business Environment

can be legitimate from a protocol perspective. This makes application-layer attacks harder
to detect than other DDoS attack types. HTTP Flood, DNS dictionary, Slowloris, etc., are
examples of application-layer attacks.

Application-Layer Attacks

Malicious
Traffic

Regular ISP
Traffic 1

Malicious
Traffic

Target Applications
and Services

Low Services
Bandwidth Router
Firewall Slowly
Requests Exhausted
Made

IPS

Regular
Traffic
Malicious
ISP Requests
Malicious Bypass
Traffic 2 Security
Applications
Malicious
Traffic

THE GROWING DDoS PROBLEM

In recent years, DDoS attacks have become more sophisticated. The attack vectors hackers
are using within their attacks are more complex. Hackers now use a combination of
volumetric and application-layer DDoS attacks, as they know this increases their chances of
disrupting availability.

Volumetric attacks are also getting larger, with a larger base of either malware-infected
machines or volunteered hosts being used to launch these attacks.

As represented in Figure 4, in a survey conducted by Arbor Networks, the size of volumetric

DDoS attacks has steadily grown.2 However, in 2010, a 100 Gbps attack was reported. That is
more than double the size of the largest attack in 2009. This staggering figure illustrates the
resources hackers are capable of bringing to bear when attacking a network or service.

2
Arbor Networks — Worldwide Infrastructure Security Report,Volume VI

Frost.com 7
Frost & Sullivan

DDoS Attacks by Gbps²

100
100 Gbps
90

80

70
Bandwidth (Gbps)

60

50

40

30

20

10

0
2005 2006 2007 2008 2009 2010

As organizations face these new challenges, network administrators have to look for a solution
with the sole purpose of deflecting and mitigating these new hacker tactics.

Broader Spread of Attack Motivations and Targets

The emergence of hacktivism has changed the view of DDoS in the security community. Once
primarily viewed as a method for reputational or financial gain, attack motivations have moved
on. While the attacks motivated by extortion, etc., still exist, DDoS attacks are now being used
as a form of political activism (“hacktivism”) or to prove how unsecure networks are. Media
organizations, social networks, governments, etc., have been targeted heavily by these types of
DDoS attacks.

Two well-known hacker groups garnering attention are Anonymous and LulzSec. Anonymous
aims to attack organizations it believes are participating in injustices of discouraging Internet
freedom and freedom of speech. LulzSec, on the other hand, has built its reputation on exposing
security flaws in networks and websites.

While LulzSec aims to expose vulnerabilities in networks with no motivation other than
revealing the vulnerabilities, there have been other instances where the reasoning behind
attacks has been less clear. According to Kapersky’s DDoS Attacks in Q2 2011 report, social
networks are targeted because they allow the immediate exchange of information between
tens of thousands of users. In 2011, a Russian virtual community named LiveJournal experienced
a series of attacks. The botnet behind the attacks was named Optima. To this day, no one has
claimed responsibility for the attacks.

8 Frost.com
 Why Anti-DDoS Products and Services are Critical for Today’s Business Environment

Volunteer Botnets
Hacktivist groups have shown how easy it is to build a botnet of volunteered, rather than malware-
infected, machines. Hacktivist groups are known for their recruitment of members through social
media networks, and it appears than only minimal persuasion is required to recruit participants.
Regardless of computer hacking capabilities, anyone can be part of one of these movements.This
alarming trend poses serious problems for the industry, as highly skilled hackers and novice users
now have access to some of the same sophisticated DDoS attack tools.

Increased Impact on Organizations

The growing dependence of businesses on datacenter and cloud services has resulted in a
renewed focus on the security of these services. Once an afterthought, security in the cloud
has moved to the top of the priority list. Businesses should look at security capabilities as one
of the key factors they evaluate when deciding upon a provider of cloud or datacenter services,
as the business impacts of an attack can be significant.

The business cost to an organization of a DDoS attack is multi-faceted. We should consider

everything from the operational costs of dealing with the attack, to the potential long-term
revenue impact that might arise due to brand damage if an attack is successful.As an example, in
April of 2011, a cybercriminal was sentenced, in Germany, for attempting to blackmail German
bookmakers during the 2010 World Cup. While the ransom request was not significant, the
bookmakers estimated that within the few hours their site was down, they lost between
25,000-40,000 Euros for large offices and 5,000-6,000 Euros for smaller offices.The punishment
in Germany for computer sabotage is now up to 10 years in prison.

Another worrying development is the use of DDoS as a means of distraction. In the case of the
Sony breach, a DDoS attack was allegedly used as a distraction so that other criminal activity,
which resulted in the loss of passwords, usernames, and credit card information, could take
place.This potential threat further justifies the need for solutions that mitigate the latest DDoS
attacks and methods.

COMPLEX THREATS NEED A FULL-SPECTRUM SOLUTION

Given the threat complexity and the business impact of DDoS, a full-spectrum solution is
required. A common response by many administrators to the challenges of DDoS is the belief
that their firewall and IPS infrastructure will protect them from attack. Unfortunately, this is
not true. Firewalls and IPS devices, while critical to network protection, are not adequate to
protect against all DDoS attacks.

Integrity and Confidentiality vs. Availability

Many administrators rely on firewalls and Intrusion Prevention Systems, which have extended
capabilities to deal with DDoS attacks. Firewalls and IPS devices focus on integrity and
confidentiality. These products are built for other security problems (enforcing network policy
and blocking intrusion attempts). These capabilities are not readily extensible to deal with

Frost.com 9
Frost & Sullivan

threats targeting network and service availability—the focus of DDoS attacks. Firewalls and IPS
devices cannot stop widely distributed attacks or attacks using sophisticated application-layer
attack vectors. In fact, it has been found that many DDoS attacks target firewall and IPS devices.

Firewalls and IPS can be targeted by DDoS attacks because they are stateful. Stateful devices
track every packet in a connection that comes through a network to look for malicious activity,
and have a set of built-in mechanisms to protect against known threats. Due to the state-
exhausting nature of many DDoS attacks, firewalls and IPS devices can fail during an attack.
For example, sockstress DDoS attacks, which open sockets to fill the connection table, can
overwhelm both firewalls and IPS devices.

Protect Your Business from the DDoS Threat

A complex threat like DDoS requires a layered security solution. First, enterprises must
protect themselves from volumetric and state-exhaustion DDoS attacks, which can saturate
their Internet connectivity by utilizing the cloud-based protection services offered by some
Internet Service Providers or Managed Security Service Providers; second, they must have
protection from application-layer DDoS attacks using a perimeter-based solution. Moreover,
a perimeter-based solution empowers enterprises by enabling them to take control of their
response to the DDoS threat.

Cloud-Based DDoS Protection

Enterprises must work with upstream ISPs and MSSPs to have protection from large flood
attacks. Because a large percentage of DDoS attacks remain volumetric or flood attacks,
enterprises should demand clean pipes from their providers.

Perimeter-Based DDoS Protection

Arbor Networks’ Pravail Availability Protection System (APS) has been developed to meet the
DDoS threat, protecting other perimeter-based security devices and infrastructure from the
impact of attacks. With the sole purpose of stopping availability threats, Pravail APS provides the
ability to detect and block application-layer,TCP state-exhaustion and volumetric attacks. Utilizing
a combination of mechanisms, including the real-time ATLAS Intelligence Feed, Pravail can protect
and resolve the most complicated DDoS attacks. However, as it is a perimeter solution, it cannot
deal with attacks that saturate Internet connectivity; to deal with these attacks, we need to utilize
cloud-based protection and the Pravail APS can automatically request this using Arbor’s Cloud
Signaling protocol, ensuring complete protection from complex, multi-vector threats.

Out-of-the-Box Protection
In many cases, the deployment of a new security device necessitates tuning and a lengthy
integration process. Pravail APS has been developed to give administrators the ability to install
the product and immediately stop any attacks with minimal configuration. Although protection
for common DoS/DDoS attack types is automated, there are manual configuration options
available for advanced users. The ATLAS Intelligence Feed (AIF) also provides information to

10 Frost.com
 Why Anti-DDoS Products and Services are Critical for Today’s Business Environment

the device on emerging attack vectors so that they can be dealt with automatically. Pravail APS
provides real-time reports on attacks, blocked hosts and service traffic. Administrators will be
able to better understand the nature of their traffic and any attacks that target their services.

Advanced DDoS Blocking

Pravail APS meets the challenge administrators are increasingly facing in dealing with DDoS
attacks. Using a variety of counter measures, Pravail APS detects and puts a stop to DDoS
attacks, especially those that are difficult to detect in a cloud environment.

Botnet Threat Mitigation

Backed by the Arbor security research team, Pravail APS receives updates of new threats
automatically, without software upgrades. This is done through the AIF. These threats can then
be proactively blocked before they impact services.

Cloud Signaling
Pravail APS provides a comprehensive solution to efficiently detect and stop all DDoS attacks,
as it enables a tight integration between the perimeter and cloud-based services via cloud
signaling.To this end, Arbor has launched the Cloud Signaling Coalition with a long and growing
list of ISPs and MSSPs, who stand ready to receive cloud signals from Pravail APS.

THE FINAL WORD

It is clear that DDoS attacks are continuing to increase in both size and complexity. Furthermore,
the motivations behind attacks have also broadened to include ideological hacktivism and
Internet vandalism.This has put everyone from social networks to governments at risk of attack.
The number of DDoS attacks continues to increase, and DDoS remains a growing threat.

Administrators need to understand that traditional security devices are not enough to protect a
network or the services it provides.Trying to extend the capabilities of these products to defend
against DDoS attacks has proven to be ineffective. It is important to note that these products
are essential for an organization’s defense system, but a product for protection against DDoS
attacks, on-premise and in the cloud, is very different. Enterprises must have the right perimeter-
based product but must also have the right solution in the cloud. The icing on the cake is being
able to unite the perimeter and cloud solutions in a seamless and automated manner.

Frost.com 11
 Silicon Valley San Antonio London
331 E. Evelyn Ave. Suite 100 7550 West Interstate 10, Suite 400, 4, Grosvenor Gardens,
Mountain View, CA 94041 San Antonio, Texas 78229-5616 London SWIW ODH,UK
Tel 650.475.4500 Tel 210.348.1000 Tel 44(0)20 7730 3438
Fax 650.475.1570 Fax 210.348.1003 Fax 44(0)20 7730 3343

877.GoFrost • [email protected]
http://www.frost.com

ABOUT FROST & SULLIVAN

Frost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth. The company’s
TEAM Research, Growth Consulting, and Growth Team Membership™ empower clients to create a growth-focused
culture that generates, evaluates, and implements effective growth strategies. Frost & Sullivan employs over 50 years of
experience in partnering with Global 1000 companies, emerging businesses, and the investment community from more
than 40 offices on six continents. For more information about Frost & Sullivan’s Growth Partnership Services, visit
http://www.frost.com.

For information regarding permission, write:

Frost & Sullivan
331 E. Evelyn Ave. Suite 100
Mountain View, CA 94041

Auckland Dubai Mumbai Sophia Antipolis

Bangkok Frankfurt Manhattan Sydney
Beijing Hong Kong Oxford Taipei
Bengaluru Istanbul Paris Tel Aviv
Bogotá Jakarta Rockville Centre Tokyo
Buenos Aires Kolkata San Antonio Toronto
Cape Town Kuala Lumpur São Paulo Warsaw
Chennai London Seoul Washington, DC
Colombo Mexico City Shanghai
Delhi / NCR Milan Silicon Valley
Dhaka Moscow Singapore

The Bottom Line
Firewalls and IPS devices do
not solve the DDoS problem
because they:
1. Asecurity
re optimized for other
problems
2. Cannot detect or stop
distributed attacks
3. Cin-cloud
annot integrate with
security solutions.
Because they are stateful,
they are part of the
DDoS problem and
not the solution
ARBOR INSIGHT
Security Begins With
Availability and Existing
Security Devices Are
No Longer Sufficient
In recent months, high-profile attacks and outages have
brought to light the fact that existing security devices are not
sufficient to protect enterprise data centers from Distributed
Denial of Service (DDoS) attacks. While Intrusion Protection
Systems (IPS) and firewalls are an important part of a defense
strategy, they lack a vital capability—these solutions do not
protect the availability of services. Additionally, these products
are themselves often the target of DDoS attacks.
Data center operators are starting to understand that availability of services begins
with security. If your data center is not available, network integrity and confidentiality
will get you nowhere because it will not help your customers, business or your brand.
This article will examine why IPS devices and firewalls are insufficient to protect data
center availability, and will describe a best practice for combating DDoS threats to
availability of services and applications.
IPS and Firewalls Can’t Do It Alone
IPS devices, firewalls and other security products are essential elements of a
layered-defense strategy, but they are designed to solve security problems that are
fundamentally different from dedicated DDoS detection and mitigation products. They
effectively address network integrity and confidentiality, but they fail to address a
fundamental focal point of DDoS attacks—network availability. Adding to the security
threat, IPS devices and firewalls maintain state information for every session estab-
lished between a client on the Internet and the corresponding server in the data
center, which means they are vulnerable to DDoS attacks and often become the tar-
gets themselves, serving as chokepoints.
When it comes to protection against DDoS, many enterprises and data center opera-
tors have a false sense of security. They think they have secured their key services
against attacks simply by deploying IPS devices or firewalls in front of their servers. In
reality, such deployments can actually expose these organizations to service outages,
having a direct impact on customer satisfaction and therefore, revenue. Typical users
of data center and cloud services expect on-demand services. When business-critical
services are not available, enterprises and data center operators can lose millions
of dollars and potentially damage important customer and partner relationships.
Availability of services is critical and can be pose a major barrier to cloud adoption.
 ARBOR INSIGHT

In 2010, for the first time, volumetric DDoS attacks topped the 100 Gbps barrier
and an alarming 77% of respondents detected application layer attacks. Nearly
49 percent of respondents reported a firewall or IPS outage due to a DDoS attack.

The Attack Landscape

Attackers see high-profile applications in shared Cloud Data Centers as an attractive
target for criminal activity. According to the enterprises that participated in the 2010
Worldwide Infrastructure Security Report, DDoS was cited as the primary threat to the
data center and as one of the biggest obstacles to moving to a cloud-based infrastruc-
ture. In 2010, for the first time, volumetric DDoS attacks topped the 100 Gbps barrier
and an alarming 77% of respondents detected application layer attacks. Nearly 49
percent of respondents reported a firewall or IPS outage due to a DDoS attack.

Application-layer attacks are low bandwidth, difficult to detect and target both end
customers and network operators’ own ancillary supporting services, such as HTTP
Web services and domain name system (DNS). DNS has become a favorite attack
target and vector. Nearly one-third of the report respondents have experienced
customer-impacting DDoS attacks on their DNS infrastructure over the course of a
year from 2009–2010. Due to the relative lack of attention to DNS protection and
scalability by many network operators, DNS has emerged as one of the easiest ways
to take a server, application or data center down via DDoS.

Hackers love cloud infrastructures because these involve a small number of service
providers who are responsible for delivering, distributing and hosting a large amount
of content. This allows their attack to create the collateral damage effect. If they attack
one of the providers or anyone who is operating on a shared infrastructure of that pro-
vider, it is possible for them to damage or negatively impact any number of consumers
using that shared infrastructure. When one domain is attacked, those hundreds of
thousands of domains can go off-line or experience connectivity issues. The damage
is not isolated or limited to a partitioned area. Do the math. Attack one target and a
million domains can be affected. The ripple effect is staggering.

On-Premises Threat Mitigation to the Rescue

Visibility into DDoS botnets is an absolute necessity, especially when they are
constantly changing and morphing to thwart detection. An on-premises availability
protection system (APS) offers an ideal solution by enabling a layered defense
strategy, which includes upstream ISPs and firewalls, to combat both volumetric
and application-layer DDoS attacks.

An on-premises DDoS device can block advanced attacks, such as application-layer

DDoS attacks, using packet-based threat detection and multiple counter-measures.
These threat detection and counter-measures detect and stop application-layer DDoS
attacks that are difficult to detect in the cloud. The on-premises DDoS device needs
to provide visibility into critical IP services and applications running in the data center
such as HTTP, DNS, VoIP/SIP and SMTP traffic. With the visibility, the data center
can be protected from numerous types of attack, including TCP State Exhaustion,
HTTP/Web Attacks, DNS Floods/Authentication Attacks, TCP SYN Floods,
Spoofed/Non-Spoofed Attacks, UDP Floods and dozens more.
 ARBOR INSIGHT

It’s important for today’s cloud-based data center to implement a multi-layered

security solution that can simultaneously protect its network infrastructure, IP-based
services and data, as all of these are vulnerable to attacks or compromise.

The Signs of Intelligence

A strong premises-based APS will provide immediate protection with zero downtime
for the data center and its services and applications. It also cannot have any lag time
between detection and protection for all botnet threats. But it also should not be
burdensome or cost-prohibitive and should not require in-house expertise or full time
operators to fully realize all of its benefits.

It’s important for today’s cloud-based data center to implement a multi-layered security
solution that can simultaneously protect its network infrastructure, IP-based services
and data, as all of these are vulnerable to attacks or compromise. This multi-layered
protection is the only to safeguard the data center infrastructure, the applications and
services, and finally, the data that drives the business, the brand and the revenue.

Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
© 2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How
T +65 6299 0695
Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are
all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
www.arbornetworks.com AI/SECURITYBEGINS/EN/ 0213
 ARBOR INSIGHT

Quantifying the Risk

Key Considerations
of a DDoS Attack
To help IT security managers set
budget priorities by determing the
risk and business consequences
Let’s begin with a simple question that more than likely has a
of DDoS attacks. very complicated answer. How much would it cost you as an
• Operations organization if your systems went down due to a distributed
• Help Desk denial of service (DDoS) attack? If you are completely shut off
• Recovery from your customers for 30 minutes, an hour, a day, or even a
• Lost Worker Output week, what is the overall impact to your business? If you know
• Lost Business the answer to this already, you are either extremely prepared or
• Lost Customers are one of the thousands of risk managers who lose sleep over
• Penalties this every night—or both.
• Lost Future Business
• Brand and Reputation Damage
DDoS attacks on data center operations and services have become both highly
sophisticated yet easy to perpetrate. As a result, enterprises, hosting providers and
cloud service providers are experiencing DDoS attacks on their data centers more
frequently and with more severe business consequences than ever before. As its
name implies, DDoS attacks are an attack on service availability. The goal is to
prevent the data center from functioning—whether that is transacting ecommerce;
delivering email, voice, or DNS services; providing Web access; or offering other
business-critical services.

Because the goal of an attacker is to create maximum disruption, attacks are more
likely to occur at the worst possible times for your business. For example, online
retailers are especially vulnerable during the holiday season and on “cyber Monday”
in particular. I’m sure everyone reading this can imagine their own personal worst case
scenarios as well. If you are in the financial services sector it could be at the opening
of the market during earnings season or if you are in the technology sector, it could
be on the day of a major product launch and so forth.

The point being that no matter what market you are in, your business stands to suffer
a significant financial loss if you are the victim of a DDoS attack. How big of an impact
depends largely on how well prepared you are to deal with these attacks.
 ARBOR INSIGHT

Unfortunately, the number of DDoS attacks is trending upwards and repeated

attacks causing outages greater than 12 hours are not uncommon. Therefore
security managers should take into account the risk and financial impact of
annual outage time of 24 hours or more when planning for security budgets.

Let’s explore some of the key considerations that will help IT security managers set
budget priorities by determining the risk and business consequences of DDoS attacks
on their operations.

• Operations: What is the number of IT • Lost Customers: How many existing

personnel that will be tied up addressing customers will defect to the competi-
the attack and what is the hourly cost tion? What is the lifetime value of
of that? these customers?

• Help Desk: If systems are shut down, • Penalties: How much will it cost you
how many more help desk calls will you in terms of service level agreement
receive and what is the cost per call? (SLA) credits or other penalties?

• Recovery: How much manual work will
be required to re-enter transactions?
• Lost Worker Output: What is the level
of employee output lost to downtime
and the costs associated with that?
• Lost Business: How much business will
you lose for every hour you are down?
• Lost Future Business: How much
will your ability to attract new customers
be affected? What is the full value of
that lost business?
• Brand and Reputation Damage:
What is the cost to the company in
terms of brand value?

So after evaluating these key considerations, what would the financial impact of a
DDoS attack be on your organization? As guidance, Ponemon surveyed 16 different
industry segments with 41 business managers reporting on the costs that their
operations had incurred due to unplanned data center outages, both full and partial.
Business losses as a percentage of total cost ranged from 63 to 99 percent with a
mean of 86 percent. The cost of data center downtime is a function of data center size
and business type. Hourly cost of downtime per 1000 square feet ranged from $8,500
to $201,000, with a mean of $46,000. The large fluctuation in downtime is mainly due
to business type. Companies reliant upon data centers to conduct business such as
financial services companies, incur the greatest losses.

Unfortunately, the number of DDoS attacks is trending upwards and repeated

Corporate Headquarters
attacks causing outages greater than 12 hours are not uncommon. Therefore security
76 Blanchard Road
managers should take into account the risk and financial impact of annual outage time
Burlington, MA 01803 USA
of 24 hours or more when planning for security budgets. As the key considerations
Toll Free USA +1 866 212 7267
outlined in this article have highlighted, for most enterprises, replacing highly uncertain
T +1 781 362 4300
and risky cost outcomes with the predictable, lower cost of DDoS threat mitigation
Europe and attack protection is sound practice from a security perspective as well as a
financial perspective.
T +44 207 127 8147

Asia Pacific
T +65 6299 0695
www.arbornetworks.com
© 2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How
Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are
all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
AI/QUANTIFYRISH/EN/ 0213
 ARBOR INSIGHT

DDoS Mitigation
Protect Against
DDoS Threats
Best Practices
Organizations are becoming increasingly aware of the threat

1. KUnderstand
now your network
the types
that Distributed Denial of Service (DDoS) attacks can pose to
the availability of any on-line services which they offer. Now, if an
and volumes of traffic
on your network. organization offers on-line services to customers, employees or

2. KIf now
business partners then they are open to attack. And, unfortunately
who to call
the chances of being attacked have never been higher.
you are under attack,
knowing who to call is
very important. So, what are these DDoS attacks? A DoS attack is simply an attempt by an attacker

3. KDevelop
to exhaust the resources available to a network, application or service so that genuine
now what to do users cannot gain access. The majority of attacks that we see today are what we call
an internal inci- Distributed DoS (DDoS) attacks—these are just DoS attacks launched from multiple
dent handling process. different hosts simultaneously; and, in the case of a botnet, we could be talking about

4. KRegularly
10s, 100s or even 1,000s of machines.
now how to do it
test your inci- DDoS attacks vary significantly, and there are thousands of different ways an attack
dent handling process. can be carried out (attack vectors), but an attack vector will generally fall into one of

5. KGetnowvisibility
three broad categories:
what to block
of the traffic • Volumetric Attacks: Attempt to consume the bandwidth either within the target
on your network to help network/service , or between the target network/service and the rest of the Internet.
identify the ports, proto- These attacks are simply about causing congestion.
cols and repeat users.

6. Know where to block it

• TCP State-Exhaustion Attacks: These attempt to consume the connection state
tables which are present in many infrastructure components such as load-balancers,
If you need to restrict firewalls and the application servers themselves. Even high capacity devices capable
access should you use of maintaining state on millions of connections can be taken down by these attacks.
your firewalls?
• Application Layer Attacks: These target some aspect of an application or service
at Layer-7. These are the most deadly kind of attacks as they can be very effective
with as few as one attacking machine generating a low traffic rate (this makes these
attacks very difficult to pro-actively detect and mitigate). These attacks have come
to prevalence over the past three or four years and simple application layer flood
attacks (HTTP GET flood etc.) have been one of the most common DDoS attacks
seen in the wild.

Within these categories the actual attack vectors being used are evolving continuously.
We have seen a dramatic acceleration of innovation on the part of the hacker com-
munity. Not only are they , with new and more complex attack tools being produced by
the hacker community. And, it appears that no one is safe from attack.
 ARBOR INSIGHT

What should we be doing to protect ourselves from the DDoS threat?

There are a number of things that we can all do to reduce our threat surface
and minimize the impact of any attack, without using specialized solutions.

Over the past year we have seen the types and sizes of organizations being targeted
broaden substantially. It is not just financial institutions and gaming sites which are
being targeted, we have seen government departments hit, e-commerce sites and
even pizza delivery companies being targeted. Why this change? Well, there are a
number of reasons:

Firstly, attack tools are easy to find and download from the Internet. Anyone can
download them and anyone can use them—and they do. The availability and awareness
of attack tools has really made DDoS attacks accessible to any person, organization
or state who is looking for a way to impact another internet user. And, we should not
assume that attacks generated by individuals will be only be effective against other
individual; some of the attack vectors incorporated in the readily available attack tools are
stealthy and complex, and can be effective against commercial systems with just a single
attack source—if it is not configured/protected appropriately. More of a concern though
is what happens when many people download the same tool and direct it towards a
common target. In this case we effectively have a ‘volunteer’ botnet and more significant
volumes of traffic can be generated, impacting larger and better protected targets.

Secondly Botnets offering DDoS services are easy to hire. There may be recession
in many parts of the world, but the botnet economy continues to flourish. It is easy to
hire a botnet to carry out a DDoS campaign on your behalf. Numerous sites offer this
‘service’, it is easy to pay and the rates are very reasonable—$5 per hour, $40 per day.
This has lead to DDoS being used a competitive ‘weapon’ between rival businesses.

Thirdly, attack motivations have shifted over the past couple of years. Some
attacks are still motivated by extortion and blackmail, business competition and
purely to gain an advantage in a virtual gaming world—but—ideological hacktvism and
internet vandalism have come the fore as motivations. In the 2011 Arbor Worldwide
Infrastructure Security Report ideological hacktivism and internet vandalism were
voted the number one and two motivations behind the attacks monitored by the
network operators who responded to the survey on which the report is based. This
shift in motivations has lead to a much broader range of organizations being targeted
by groups such as Anonymous.

So, what should we be doing to protect ourselves from the DDoS threat? Well, there
are a number of things that we can all do to reduce our threat surface and minimise
the impact of any attack, without using specialised solutions:

• Know your network: Understand the types and volumes of traffic on your network,
in detail. Know where traffic comes in, where it goes out, what it is etc., and under-
stand how much there should be for a given time of day and day of week. If we can
have this level of visibility of our traffic at layers 3, 4 and 7 then we can pro-actively
identify changes from the norm which might indicate an attack, or reconnaissance
activity prior to an attack. If we now something is happening, or about to happen,
we can then alter our security posture appropriately.

• Know who to call: If you are under attack, or feel an attack might be about to com-
mence, knowing who to call is very important (but is often overlooked). It is imperative
that we know ‘who’ within our organizations, our service providers and our managed
security partners is there to help us and ‘how’ we should contact them. If we do not
have this information to hand, or the information we have is out-dated, our ability to
respond has already been compromised.

If our online services are important then services and solutions are available
which can effectively deal with DDoS attacks. These specialized solutions and
services are based around products known as Intelligent DDoS Mitigation
Systems (IDMS).
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300
Europe
T +44 207 127 8147
Asia Pacific
T +65 6299 0695
www.arbornetworks.com
ARBOR INSIGHT
• Know what to do: Develop an internal incident handling process, and insist on a
documented process for interactions with any managed security service partners.
Having an incident handling process provides an important structure for dealing with
an incident, when stress levels can be high. Incident handling processes can allow
incidents to be dealt with more quickly and can prevent people from taking ‘risks’
with security to try and solve an immediate problem (we have all seen the news
stories about DDoS being used a smoke screen for data exfiltration).
• Know how to do it: Ensure that your staff practice using the incident handling
process and that all of the tools at your disposal operate effectively and efficiently.
Just having an incident handling process isn’t enough—it must be regularly tested
and proven to work.
• Know what to block: If you operate on-line services, restrict access to those
services to only the protocols and ports which are required. If you have a large
number of repeat users/important customers develop a white-list of their addresses
so that their traffic can be passed during an attack even if everything else must be
dropped. Getting visibility of the traffic on your network (know your network) will
help identify the ports, protocols and repeat users for this.
• Know where to block it: Use the infrastructure you have wisely. If you need to
restrict access to an on-line, service or block attack traffic should you use your
firewalls? You can, but many routers and switches support stateless Access Control
Lists, implemented in hardware. This makes them ideal for controlling the traffic
reaching our servers/enforcing a white-list. And, can even be used to drop the traffic
from sources identified as sending attack traffic. Dropping traffic here, rather than
on any stateful firewall reduces our threat surface. Firewalls can exhaust their state
tables and some attacks exploit this—routers and switches do not have this issue.
Also, leverage your relationships with your service providers. Blocking traffic before
it reaches your network perimeter protects your upstream links from becoming
saturated during an attack. Some service providers have automated processes
whereby customer can have traffic to/from particular sources blocked in this way.
All of the above can help us to minimise the impact of a DDoS attack, but they only
provide partial protection from the threat. If our online services are important then
services and solutions are available which can effectively deal with DDoS attacks.
These specialised solutions and services are based around products known as
Intelligent DDoS Mitigation Systems (IDMS).
IDMS can be deployed at the perimeter of an organizations network, where they can
react proactively to even the most stealthy attack vector. Or, they can be deployed
within the cloud (service provider) where they can deal with higher magnitude attacks
which could saturate an organization’s internet connectivity. The best services and
solutions offer an integrated ‘hybrid’ approach comprising of both elements working
closely together, to completely protect an organizations on-line presence.
© 2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How
Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are
all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
AI/DDoSMITIGATION/EN/0213

Best Practices
• Maintain up-to-date
communications plans
• Participate in online mitigation
communities
• Implement scalable architectures
• Implement real-time detection,
classification and traceback
capabilities
• Deploy a source-based remotely
triggered blackholing (S/RTBH)
capability
• Avoid deploying firewalls and
IDS/IPS in front of Internet-
facing servers
• Deploy intelligent DDoS
mitigation systems
• Employ infrastructure ACLs
• Filter irrelevant Internet protocols
at network edges via ACLs
• Deploy additional network
infrastructure best practices
• Make network infrastructure
devices accessible only via
designated management hosts
• Configure public-facing servers
in a hardened manner
• Provide additional defensive
capabilities with Apache
modules
ARBOR INSIGHT
Cloud Computing:
Ensuring Availability
for One and All
With cloud computing’s paradigm of shared infrastructure, DDoS
attacks on a specific target can quickly affect many or all tenants.
In this Arbor Insight, we explain why availability should be the top
priority for cloud operators, and outlines best current practices
for preventing and mitigating attacks.
The growing popularity of the cloud computing model has been accompanied by
a great deal of discussion, and some concrete action, regarding security concerns
related to the use of computing, storage, networking and services infrastructure
which, by definition, is shared among multiple end customers. While the classic siloed,
single-tenant server model quite often involves the use of shared networking and
ancillary services infrastructure, such as DNS, bringing together the application logic
and proprietary data of multiple organizations on the same computing/networking/
storage substrate has highlighted these concerns, and brought them to the forefront
for many IT professionals and executives worldwide.
Distributed denial of service (DDoS) attacks are launched with the intent of negatively
impacting the availability of the targeted applications, data or services. While DDoS
attacks launched against classic siloed systems often cause collateral damage due
to their impact on shared resources—such as network infrastructure, DNS, etc.,—the
inherent and explicit multi-tenancy of cloud computing environments means that an
attack against one tenant/customer is an attack against all end customers making
use of the same shared infrastructure.
Best practices for ensuring availability
Ensuring availability in the face of DDoS attacks can be challenging. Fortunately, there
is a large body of best current practices for maintaining availability which have been
developed by the Internet operational community and successfully deployed by many
service providers and data center operators with a good track record of maintaining
availability. By properly assessing the risk to availability posed by the cloud computing
model, operators and end users of cloud services can work to minimize their risks and
maximize the security postures.
 ARBOR INSIGHT

For more information about cloud-based DDoS protection services,

visit the Arbor Web site.

All organizations should implement the following as part of their organic cloud computing
architectures and/or ensure their cloud providers have done so:

• Maintain up-to-date communications plans, including contacts for peers and

upstream providers so established operational security teams can react quickly and
effectively to DDoS attacks.

• Participate in online mitigation communities to increase the effectiveness of

coordinated responses to attacks.

• Implement strong, scalable architectures that minimize state- and capacity-bound

chokepoints, which can otherwise be exploited by attackers, leading to DDoS attacks
that cripple public-facing properties.

• Implement real-time detection, classification and traceback capabilities to

identify DDoS attacks, understand what is happening and take appropriate defensive
measures. Flow telemetry such as Cisco NetFlow, Juniper cflowd and sFlow should
be enabled at all network edges, and exported into a collection/analysis system such
as Arbor Peakflow SP.

• Deploy a source-based remotely triggered blackholing (S/RTBH) capability

which leverages existing network infrastructure in defending against simple packet-
flooding attacks from a relatively small number of sources. S/RTBH leverages
BGP as a control-plane mechanism to instantaneously signal edge devices to start
dropping attack traffic at the edges of the network, based on the purported source
IP addresses of the attack-related packets.

• Avoid deploying firewalls and IDS/IPS in front of Internet-facing servers.

Even the largest devices are DDoS chokepoints; they degrade the operational
security posture of the network and applications by making them more vulnerable to
DDoS than the servers alone otherwise would be. Instead, policy should be enforced
by stateless ACLs in hardware-based routers and switches, which are capable of
handling millions of packets per second.

• Deploy intelligent DDoS mitigation systems, such as the Arbor Peakflow SP

Threat Management System (TMS), in topologically appropriate cleaning centers to
block attacking traffic on a more granular level, including sophisticated application-
layer attacks and spoofed attacks.

• Employ infrastructure ACLs (iACLs at the relevant network edges—peering/

transit, customer aggregation edge, etc.) to protect the network infrastructure
itself. For traffic that is destined for Internet-facing servers, use additional service-
specific sections to restrict the traffic to ports and protocols associated with the
services and applications on those servers.

• Filter irrelevant Internet protocols at network edges via ACLs. There are 254
valid Internet protocols. Packet-flooding attacks based on protocol 0, ESP, GRE
and other relatively uncommon protocols can be used by attackers to bypass ACLs
that only contain policy statements relating to common protocols such as TCP,
UDP and ICMP.
 ARBOR INSIGHT

By ensuring that availability is given the appropriate emphasis, organizations

can ensure that stakeholders are able to properly assess the risks associated
with the cloud computing model and successfully mitigate those risks in order
to reap the benefits of cloud computing while ensuring continuity of operations.

• Deploy additional network infrastructure best practices such as control-

and management-plane self-protection mechanisms (rACL, CoPP, GTSM, MD5
keying, etc.).

• Make network infrastructure devices accessible only via designated manage-

ment hosts. During attacks, a dedicated, out-of-band (OOB) management network
allows devices to be managed irrespective of conditions on the production network
and ensures continuing visibility into attack traffic.

• Configure public-facing servers in a hardened manner, with unnecessary

services disabled, service-specific configuration hardening, IP stack tuning and
other relevant mechanisms.

• For Web servers, Apache modules such as mod_security and mod_evasive provide
additional defensive capabilities.

Maintaining availability in the face of DDoS attacks can be challenging, but as the
above list of best common practices demonstrates, it is neither impossible nor out
of the reach of organizations of any size. By ensuring that availability is given the
appropriate emphasis, organizations can ensure that stakeholders are able to properly
assess the risks associated with the cloud computing model and successfully mitigate
those risks in order to reap the benefits of cloud computing while ensuring continuity
of operations.

Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695
www.arbornetworks.com
© 2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How
Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are
all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
AI/CLOUDCOMPUTING/EN/ 0113

Five Tips to Securing
Your Data Center
Since the dawn of the computing age, hackers and network
1. Protect data centers
from threats that cannot
security professionals have been in a constant tug of war
be stopped by other between advancements and innovation, success and failure.
security devices
2. Secure the availability
Today, numerous surveys of IT decision
makers cite the issue of security and
of the most important availability as the major impediment to
asset: the data center the adoption of cloud computing.
services After a string of high-profile attacks
against financial services companies
3. Pinfrastructure
rotect the data center and online retailers, Internet data
and centers are increasingly the targets of
connectivity as well hackers and cybercriminals who view
as customer services them as vulnerable to new and differ-
and data ent kinds of attacks. Not surprisingly,
Internet data center operators, public
4. Pvisibility
rovide much needed and private, must now reassess their
at the data defenses against the primary threat to
center edge and inside availability—distributed denial of
data centers service attacks (DDoS).
5. Detect emerging
Attacks are moving from volumetric-
based—where they try to simply
threats by looking overwhelm the connection with data—
beyond the borders to more sophisticated, application-layer
of the data center attacks that target specific services and
are not high-bandwidth, making them
difficult to identify. The new application-
layer DDoS attacks threaten a myriad
of services from Web commerce to DNS
and from email to online banking.
ARBOR INSIGHT
1. Protect data centers from threats
that cannot be stopped by other
security devices
Data center operators have a ten-
dency to deploy firewalls and Intrusion
Prevention Systems (IPS) in front of
data center assets. While key elements
of an overall security strategy, firewalls
and IPS devices are not effective solu-
tions against DDoS attacks. Because
these devices constantly maintain state
information for every session estab-
lished between a client on the Internet
and the corresponding server in the
data center, these products themselves
are commonly targets of DDoS attacks.
According to Arbor’s 2010 Worldwide
Infrastructure Security Report, a solid
majority of those who have deployed
these devices within their data centers
experienced stateful firewall and/or
IPS failure as a direct result of DDoS
attacks during the survey period.
Recently, NSS Labs released its
Network Firewall Comparative Group
Test Report, which found two major
issues. One is stability where three out
of six firewall products failed to remain
operational when subjected to stability
tests. The second issue is that external
hackers were able to trick firewalls into
allowing them inside the firewall of a
trusted client. The conclusion can be
drawn that firewalls and IPS are not
effective solutions against threats such
as DDoS attacks.

Arbor’s security researchers are frequently sought out by the media
for their insight and analysis of network security issues.
See more Arbor Insight articles at www.arbornetworks.com/news-and-events
2. Secure the availability of the
most important asset: the data
center services
Availability should be considered first
and foremost because all other aspects
do not matter if the services are not
available. If users cannot access the
services offered or hosted, then all other
security concerns such as integrity and
confidentiality are simply not relevant.
Service providers must consider threats
against availability such as DDoS as
they design their security policies, and
on the flip side, companies must con-
sider threats against availability as they
evaluate cloud providers.
When Internet-facing services are
down due to attacks against availability,
the impact can have severe business
consequences. Only a few minutes of
downtime can be very costly. Moreover,
it can tarnish the brand, lower employee
productivity, and even result in penalties
or Service Level Agreement credits.
3. Protect the data center infrastruc-
ture and connectivity as well as
customer services and data
Beyond protecting critical services from
threats, data center operators must be
aware of threats against the infrastruc-
ture and the pipes into and out of their
data centers. A large-scale DDoS attack
against the infrastructure can initially be
stopped on-premise in the data center,
but as the attack grows in volume, the
data center operator must partner with
Corporate Headquarters upstream Internet Service Providers (ISPs)
76 Blanchard Road or Managed Security Service Providers
Burlington, MA 01803 USA (MSSPs) to stop the large-scale attack.
Toll Free USA +1 866 212 7267
T +1 781 362 4300
Data center operators must have
established procedures to communicate
Europe with bandwidth suppliers. Leveraging
technologies to streamline communica-
T +44 207 127 8147
Asia Pacific
© 2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How
T +65 6299 0695
Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are
all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
www.arbornetworks.com EI/5TIPS/EN/0113
ARBOR INSIGHT
tions between the data center edge and
the upstream providers is also critical.
However, needing to figure out an ad-
hoc plan be very daunting—especially
during an attack.
4. Provide much needed visibility
at the data center edge and inside
data centers
Good security requires good visibility.
Data center operators must invest in vis-
ibility and operational tools so they can
gain the situational awareness to effec-
tively address threats. From utilizing
SIEMs to leveraging NetFlow tech-
nologies, data center operators should
understand where threats are coming
from externally, as well as what traffic is
inside the data center. This visibility can
help assure data is not being accessed
or removed from your data center by
unauthorized persons. It can also detect
threats against availability before cus-
tomers are affected.
5. Detect emerging threats by
looking beyond the borders of
the data center
Because the threat landscape is con-
tinually evolving, operators need a 360
degree view to detect emerging trends
and stop new threats. For example,
Arbor Networks’ ATLAS initiative is a
collaborative effort with 100+ ISPs who
have agreed to share anonymous traffic
data on an hourly basis, and who have
deployed honeypots across the globe.
The global insight can be used to detect
emerging trends and threats, resulting in
policies that can be incorporated into data
center security products to stop emerging
threats and prevent attacks. Operators
must be able to see beyond the walls of
the data center in order to secure it.
 ARBOR INSIGHT

Increasing Security
Throughout the Network:
Five Questions to Ask
1.  ow does your MSSP
H
differentiate between
legitimate traffic and
malicious traffic?
Your MSSP
Attacks to the network can come at any time from any place—
2. In the event of a
successful attack, what
disrupting business continuity, compromising critical business
provisions are included assets, and affecting reputation and profitability. Network security
in the security level professionals know that staying ahead of today’s threats requires
agreement (SLA)? a defense-in-depth approach where security is built into the
fabric of the network.
3. What equipment does
the MSSP utilize for both Most large enterprises rely on 2. In the event of a successful attack,
monitoring and blocking managed security service providers what provisions are included in the
malicious traffic? (MSSPs) for additional levels of security security level agreement (SLA)?
and specialization. However, in the end, Most SLAs with MSSPs provide
tackling the destructive and disruptive
4. How does the MSSP
protect the data-center
effects of an attack is the responsibility
of the organization, not the MSSP.
explicit coverage up to a specific level
of bandwidth protection. However, the
cloud environment? MSSP may not be able to keep up with
To better ensure security throughout an extremely high-volume DDoS attack.
your organization, consider asking your Determine what reimbursement is

5. How does the MSSP

protect your unique
MSSP the following questions. provided if the MSSP is not able to
protect your internal network (e.g., the
network environment? monthly contractual service fee).
1. How does your MSSP differentiate
between legitimate traffic and With Pravail APS in the network,
malicious traffic? enterprises can help block high-volume
attacks that threaten business continuity.
With Arbor’s Pravail ® Availability
Protection System (Pravail APS) in the
network, enterprises gain the visibility
to monitor and manage traffic destined
to and from critical resources. As a
result, they can block attacks appearing
as legitimate traffic.
 ARBOR INSIGHT

With Pravail on their networks, Arbor customers know they are receiving
industry-leading visibility and large-scale attack protection.

3. What equipment does the MSSP By asking a few pointed, educated

utilize for both monitoring and
blocking malicious traffic?
Ensure that your MSSP is using the
“latest and greatest” products so that
advanced attacks are not only identified,
but also blocked. In some cases, MSSPs
may be using different product vendors
for each of these functional aspects
of service.
4. How does the MSSP protect the
data-center cloud environment?
With Pravail APS deployed in cloud
environments, Arbor’s unique Cloud
Signaling™ technology provides robust
protection for this shared environment.
5. How does the MSSP protect your
unique network environment?
Most MSSPs utilize the same
monitoring and blocking model for all
customers. But because each network
is unique, each has protection require-
ments that may not be met by the
MSSP model. With Pravail APS in the
fabric of the network, enterprises can
customize the protection to better meet
the needs of each unique environment
and network architecture.
questions, your organization can
achieve a true partnership with
your MSSP through an honest and
open discourse. And with Arbor’s
Pravail Network Security Intelligence
(Pravail NSI) solution deployed on
your internal network, you gain a more
comprehensive solution that strengthens
that partnership. You and your MSSP
can work in concert to deliver a holistic
defense-in-depth security strategy that
enables both visibility and mitigation
of malicious traffic—helping to protect
business continuity, critical business
assets, reputation and profitability. This
partnership helps both your enterprise
and your MSSP to achieve their security
and organizational goals.

Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695
www.arbornetworks.com
© 2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How
Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are
all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
AI/5QUESTIONS/EN/0313
 INTERVIEW TRANSCRIPT

DDoS:
Evolving Threats, Solutions
Carlos Morales of Arbor Networks Offers New Strategies

FEATURING:
• Characteristics of recent attacks;
• Gaps in organizations’ defenses;
• How to best prepare for and respond to DDoS.
Sponsored by

© 2013 Information Security Media Group DDoS: Evolving Threats, Solutions

 D DoS attacks on banks have returned,
and the attackers are changing their
tactics and expanding their attack toolsets.
How must organizations change the way
they defend against DDoS? Carlos Morales
of Arbor Networks shares strategies.
Morales, vice president of global sales engineering and consulting at Arbor Networks,
says the attackers so far have demonstrated great resiliency in their distributed denial
of service attacks.

“They’ve gotten more complex, they’re exploiting holes in the defenses of some of the
financial institutions that have been attacked - they’ve essentially become intelligent,”
Morales says.

So, the challenge is: How do organizations evolve their defensive strategies?

In an interview about evolving DDoS attacks and how to respond, Morales discusses:
• Characteristics of recent attacks;
• Gaps in organizations’ defenses;
• How to best prepare for and respond to DDoS.

Carlos Morales, Vice President of Global Sales Engineering and Consulting, Arbor
Networks

Morales is responsible for all aspects of pre-sales engineering, consulting and sales
operations worldwide. He works closely with Arbor’s customers and strategic
and integration partners to ensure ongoing product interoperability and to set
the direction for new product features. He has more than 15 years of experience
implementing security, routing and access solutions in service provider, cloud and
enterprise networks. Morales’ background includes management positions at Nortel
Networks, where he served as the director of systems engineering for Nortel’s access
products. Formerly, he was systems engineering director for Tiburon Networks and
held systems engineering roles at Shiva Corporation, Crescent Networks and Hayes
Microcomputer.

© 2013 Information Security Media Group DDoS: Evolving Threats, Solutions

“A lot of the perimeter defenses that most
enterprises have put out there, government
and others, are really based on technologies
that are 10-15 years old.”
- Carlos Morales

© 2013 Information Security Media Group DDoS: Evolving Threats, Solutions

 Characteristics of Recent Attacks
TOM FIELD: I know you’ve watched these
attacks closely. What can you tell us? Have
the tools that have been used in the attack
characteristics changed over time?
“Clearly, the group
CARLOS MORALES: Yes; in fact, more so
behind this is well- than we’ve seen with any other attack to date
before this. Clearly, the group behind this is
organized, well- well-organized, well-funded and very capable.
They’ve been using a base set of tools, which
funded and very we’ve called the “Brobot,” KamiKaze, and
AMOS, based on some aspects of the tools and
capable.” a text within the tools.
However, those tools have changed
significantly over the course of roughly six
months that these attacks have been going
on. They’ve gotten more complex. They’re
exploiting holes in the defenses of some of the
financial institutions that are being attacked.
They have essentially become intelligent.
Traditional botnet-based attacks tend to be
a little bit more brute-force to see if they
cause damage -- and if not, “oh well.” These
attacks have been shown to actually probe for
weaknesses on different networks that they’re
exploiting and then attacking those based on
those weaknesses. “We’ve seen multi-vector
-- lots of different attacks that combine both
volumetric, as well as application attacks
-- on different applications simultaneously.
We’ve seen a high volume of attacks against
simultaneous companies at once, which
stresses the infrastructure, and we’ve seen
attacks that are far more subtle in affecting
SSL-encrypted traffic and other application-
layer exploits that they’re able to manipulate
and take sites down. Frankly, the attacks have
been ever-changing, which is very unusual
for one wave of attacks from a particular
miscreant.
How to Best Detect Attacks
FIELD: Given those characteristics, how
would you say organizations can best detect
these attacks, particularly at the application
level as you mentioned?
MORALES: That’s a great question. [While]
these attacks are becoming more popular
over the last couple of years, application-layer
© 2013 Information Security Media Group
attacks have proven that a one-tool-fits-all
approach doesn’t necessarily work. Traditional
volumetric attacks were easily detected
through statistical anomaly-based means in
ISP networks and carrier networks, as well
as in enterprise networks looking for changes
in network behavior and network traffic that
were indicative of threats.
That’s not the case for a lot of these
application-layer threats. You actually have to
look down deeper into the packet themselves
and look for patterns that are deviant from
not protocol standards, but deviant from
a behaviorist standpoint - maybe doing
things over and over that they shouldn’t be
doing, or maybe taking and exploiting some
limitations or some bottlenecks in protocols
and applications. You have to actually look
at packet-layer data and apply some fairly
comprehensive mechanisms to detect the
subtle behaviors that are application-layer
threats.
Gaps in Perimeter Defenses
FIELD: You get to see lots of different
organizations and lots of different defenses.
What gaps do you see in how organizations
currently defend their perimeters?
MORALES: A lot of the perimeter defenses
that most enterprises have put out there,
government and others, are really based on
technologies that are 10-15 years old. Firewall
technologies, even repackaged as next
generation, are still firewalls. They’re still
policy-based systems that are trying to detect
when something deviates from the normal of
a spec of a particular application. Something
malicious might hide itself in the application
and fundamentally change how that works, so
therefore it can get through the block by these
policy-based systems.
Similarly, IPS equipment that has been
deployed for sometime is also looking at policy-
based threats - deviances that have deviated
from the specs of the applications themselves.
DDoS is something that actually falls within
the spec of the application. For instance, many
DDoS attacks are just simply connections for
the TCP protocol. That’s normal. It may be web
DDoS: Evolving Threats, Solutions
“We’ve seen attacks that are far more
subtle in affecting SSL-encrypted
traffic and other application-
layer exploits that they’re able to
manipulate and take sites down.”
© 2013 Information Security Media Group DDoS: Evolving Threats, Solutions
 connections. That’s also normal. That’s in fact
“Frankly, the attacks desirable for a web server.
have been ever- However, they’re doing something maybe
in a malicious way, like asking for the same
changing, which thing over and over in a connection to the web
server. It’s a normal activity done multiple
is very unusual for times, which creates an abnormal strain on
the system. You have to have a different set
one wave of attacks of techniques to detect and mitigate those
types of attacks. That’s why the intelligent
from a particular DDoS mitigation devices were invented, to
specifically look for and track those types
miscreant.” of behaviors that are maybe normal from
an application sense, but abnormal from a
behavioral sense.
Strategies, Solutions against DDoS
FIELD: If we’ve learned anything from the
past six months, it’s that the DDoS problem is
clearly growing in complexity. Given that, what
strategies and solutions do you recommend to
customers to defend themselves?
MORALES: First of all, it’s two-fold. One is
they have to take into account the fact that
attacks can be volumetric - very large - as well
as complex and application-layer-based. Don’t
assume that a single solution that says, “I solve
DDoS,” is going to solve the problem. You have
to look for solutions that are focused on this
problem so they’ll change over time as the
problems change, and that the types of attacks
change.
You also have to look for an ecosystem. Most
networks don’t have infinite capacity to
the Internet, which means that eventually
somebody can come in and attack them and
take more bandwidth than is available to them,
taking them down. In that case, you really need
to have already relationships and agreements
in place with your upstream providers to have
them aid with the mitigation of it. Taking into
account both an ecosystem approach, having
upstream and on-premise mitigation, and
choosing vendors in the solutions that are
dedicated to that job, as opposed to doing it as
an offshoot, are really the best practices in this.
© 2013 Information Security Media Group
Arbor’s DDoS Detection & Response
FIELD: You’ve worked in a number of
organizations. Tell us how Arbor has helped
these organizations to improve their DDoS
detection and response?
MORALES: Arbor has been doing DDoS
basically since it was founded in the year 2000.
We’re a pioneer in using NetFlow technology
to detect those statistical deviations I
mentioned earlier as a means of detecting DOS
events on your network. We’ve been at this for
a long time and we’re very micro-focused on
this as a solution.
Fast-forward to today. Arbor has a portfolio of
solutions where we’re the only provider that
actually has the entire ecosystem of provider-
based cloud solutions and premise-based
solutions that can both actively mitigate using
similar techniques, our own proven techniques,
but also talk amongst each other to create a
more cohesive solution and ecosystem. In fact,
according to a recent Infonetics report, Arbor
owns 61 percent of the global DDoS market.
We’re very much a proven player in this space
and we have the right solution for different
types of organizational needs.
Advice on Preparing for DDoS
FIELD: What advice would you give
organizations at risk of DDoS? As you and I
both know, any organization can be at risk.
How should they assess and bolster their
preparedness?
MORALES: Preparedness I think is the key
word in that. First of all, there are a lot of
industry best practices outside of intelligent
DDoS mitigation that you can use to limit the
attack surface that’s available on your network.
That could be everything from dropping
any types of services that you’re not actively
running right at your network perimeters using
ACLs. It could be hardening and maintaining
antivirus and latest version control on your
services. There are a lot of things that will
hopefully reduce the attack surface to more of,
DDoS: Evolving Threats, Solutions
 “Here are the only services that I’m actually
actively providing to the Internet.”
“Application-layer
Then, choose a solution based on the tenets
attacks have proven that I mentioned before, a solution that’s going
to be focused and solve your problem not only
that a one-tool-fits- today, but in the future, and is able to span the
full breadth of the different types of DDoS
all approach doesn’t attacks that are out there and be equipped to
handle new attacks as they go forward.
necessarily work.”
Finally, have the experienced people behind
it to be able to help you in the time of need,
because not only having the right tools is
important but having the know-how and
having the right people to call is equally
important. I encourage doing some research
into what solutions are out there and who can
provide that solution. I think you’ll find that
Arbor is very clearly the right solution for you.
n

LISTEN TO THE INTERVIEW

http://www.bankinfosecurity.com/interviews/ddos-evolving-threats-solutions-i-1840

© 2013 Information Security Media Group DDoS: Evolving Threats, Solutions

About ISMG Contact
Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) (800) 944-0401
is a media company focusing on Information Technology Risk Management for vertical [email protected]
industries. The company provides news, training, education and other related content for risk
management professionals in their respective industries.

This information is used by ISMG’s subscribers in a variety of ways­—researching for a

specific information security compliance issue, learning from their peers in the industry,
gaining insights into compliance related regulatory guidance and simply keeping up with the
Information Technology Risk Management landscape.

4 Independence Way • Princeton, NJ • 08540 • www.ismgcorp.com

© 2013 Information Security Media Group DDoS: Evolving Threats, Solutions

Top Security Concerns and Threats Facing
Today’s Mobile Network Operators
Highlights from Arbor Networks’ 2012 Worldwide Infrastructure Security Report
KEY FINDINGS
34% Suffered a customer-visible
outage due to a security
incident, a 64% increase
over the prior year.
57% Do not know what proportion
of subscriber devices on their
networks are participating in bot-
nets or other malicious activity.
60% Have no visibility into traffic on
their packet cores, resulting in
unseen threats that cannot be
prevented or contained.
45% Do not know if DDoS attacks
are targeting their Internet Gi
infrastructure.
28% Observed DDoS attacks tar-
geting their wireless network,
while 25% don’t know if such
attacks occurred due to a lack
of visibility.
16% Reported outbound attack
traffic from subscribers, but
25% can’t tell if subscribers
are originating DDoS traffic
due to a lack of visibility.
Arbor Special Report
The Arbor Networks® eighth annual Worldwide Infrastructure Security
Report offers a clear view into today’s network security threats and mitigation
techniques. The report is based on survey data from 130 network operators
and service providers around the world collected from October 2011 through
September 2012. This document summarizes the survey responses of mobile
network operators—providing insights into their most critical security challenges.
Mobile Providers Continue to Be Reactive
The roll-out of Long Term Evolution (LTE) services has accelerated, increasing the band-
width available to mobile subscribers. But there has been limited improvement in visibility
and investment in detection/mitigation solutions specific to the mobile network since the
last survey. As a result, mobile operators report having limited visibility and taking a reactive
stance on subscriber security.
More Outages Due to Security Incidents
Over one-third of mobile operators suffered a customer-visible outage due to a security
incident, up from just over 12 percent last year. This is a significant increase and indicates
the need for a greater focus on security.
Threats Due to Misbehaving User Applications
Multiple mobile operators reported significant outages or performance issues caused by
non-malicious, but misbehaving, user applications. The majority of these operators took a
reactionary stance toward detection and mitigation, with over 30 percent indicating that
they had to perform a reactive analysis of the problem.
Lack of Visibility into Subscriber Devices
Over 57 percent of mobile operators do not know what proportion of subscriber devices on
their networks are compromised and participating in botnets or other malicious activities—
indicating poor visibility in this regard. Many mobile devices are now as powerful as some
laptop computers, with dual-core CPUs, gigabytes of memory and high-speed wireless
interfaces. The malware problem in the mobile space is quite real, and large-scale malware
activity—with thousands of active participants—could have a devastating impact on the
resources of a wireless infrastructure.
Low Visibility into Traffic on Mobile/Evolved Packet Cores
Sixty percent of mobile operators lack visibility into the traffic on their mobile/evolved packet
cores (see Figure 1). The risk to these operators is clear: unseen threats cannot be prevented
or contained. Of those who have visibility into traffic on their mobile packet core, the majority
use counters and statistics available directly from the mobile infrastructure itself, while one-
third use vendor-supplied probe-based monitoring solutions. The remainder use third-party
probes or a flow-monitoring device (such as Peakflow® SP) to visualize traffic.
ABOUT ARBOR NETWORKS Visibility of Traffic on Mobile/Evolved Packet Core
Visibility of Traffic on Mobile/Evolved Packet Core

Arbor Networks is a leading provider 60% 60% No

of network security and management 33% User/Data Plane
solutions for enterprise and service 50% 27% Control Plane
provider networks. Our proven solutions
help grow and protect our customers’

Survey Respondents
40%
networks, businesses and brands.

Arbor’s unparalleled, privileged relation- 30%

ships with worldwide service and hosting
providers provide unequaled perspective 20%
on Internet security and traffic trends
via ATLAS®, a unique collaborative effort
10%
with 250+ network operators across
the globe sharing 35 Tbps of traffic
information that informs numerous 0%
business decisions.
Figure 1 Source:
Source: Arbor Networks,
Arbor Networks, Inc. Inc.
Developed annually, Arbor’s Worldwide
Infrastructure Security Report offers a
rare view into the evolving global threat
landscape based on a series of surveys Inbound DDoS Attacks Targeting Mobile Networks
completed by network operators from Approximately 28 percent of respondents have seen DDoS attacks targeting their mobile
around the world. users, RAN, back-haul or packet core—a small increase over last year—while nearly half
have not seen any attacks. Roughly one quarter don’t know if these attacks are occurring
To access the complete report, please
visit: www.arbornetworks.com/report due to a lack of visibility. For those seeing attacks, attack frequency was consistent at
between one and 10 events per month, with firewalls and user handsets being the most
commonly targeted devices.

Mobile Malware
Only 16 percent of mobile operators reported outbound attack traffic from subscribers.
However, more than 25 percent don’t know whether their subscribers are originating DDoS
traffic due to a lack of visibility. As the number of mobile devices, along with the sophistica-
tion and power of these devices, continues to increase year over year, it is only a matter of
time before botnets and DDoS become more prevalent within mobile infrastructure.

DDoS Attacks on Internet Gi Infrastructure

Only 10 percent of respondents have seen DDoS attacks impacting their mobile Internet
(Gi) infrastructure. However, this low number may be partially explained by the fact that
Corporate Headquarters 45 percent don’t know if they are being targeted or not—potentially demonstrating a lack
76 Blanchard Road of monitoring and threat detection capability.
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267 Security Measures to Protect Against Availability Threats
T +1 781 362 4300 Mobile operators utilize a wide variety of tools and techniques to protect their infrastructures
against availability threats. This year, there was a 19 percent increase in the use of intelligent
Europe
DDoS mitigation systems (IDMS), up from 37 percent to 44 percent. There was a corre-
T +44 207 127 8147
sponding decrease in the proportion of respondents using the security features in their data
and signaling gateways, down from 42 percent last year to almost 19 percent. iACLs and
Asia Pacific
NAT/PAT technology are the most common protective measures, despite their limitations.
T +65 6299 0695

www.arbornetworks.com
Summary
Given the speed of evolution in mobile technologies and our increased dependence on
mobile networks, mobile operators are having to upgrade their infrastructures to maintain
© 2013 Arbor Networks, Inc. All rights competitiveness. At the same time, they should implement threat detection and monitoring
reserved. Arbor Networks, the Arbor Networks
solutions to protect themselves and their customers.
logo, Peakflow, ArbOS, How Networks Grow,
Pravail, Arbor Optima, Cloud Signaling, ATLAS
and Arbor Networks. Smart. Available. Secure.
are all trademarks of Arbor Networks, Inc.
All other brands may be the trademarks of
their respective owners.
SR/MOBILEHIGHLIGHTSWISR/EN/0213

Real-World Insights into Global Security
Threats Facing Enterprise Networks
Enterprise Highlights from Arbor Networks’ 2012 Worldwide Infrastructure Security Report
KEY FINDINGS
50% Experienced DDoS attacks
against their infrastructure.
25% Encountered DDoS attacks
against customer- and
partner-facing services.
88% Use firewalls or IPS for
threat detection and 75%
rely on these devices for
DDoS attack mitigation,
despite their drawbacks.
50% Believe their C-level executives
are unaware of the threat
DDoS attacks pose to Internet
service availability.
50% Make DDoS part of their busi-
ness risk management process
for Internet service availability.
Arbor Special Report
The Arbor Networks® eighth annual Worldwide Infrastructure Security
Report, offers a clear view into today’s network security threats and mitigation
techniques. The report is based on survey data from 130 enterprise network
operators and service providers around the world collected from October
2011 through September 2012. This document summarizes the survey
responses of enterprise network operators—providing insights into their
most critical security challenges.
Past DDoS Attacks and Future Concerns
Half of all enterprise respondents have experienced distributed denial of services (DDoS)
attacks against their infrastructure during the 12-month survey period, and one-quarter
encountered DDoS attacks against customer- and partner-facing services (Figure 1).
Top concerns about threats in the next 12 months are DDoS attacks, data exfiltration
and under-capacity for Internet bandwidth.
DDoS Attacks in the in
DDoS Attacks Last
theYear
Last Year
50% 50% DDoS attacks towards your infrastructure
(routers, firewalls, load balancers)
38% Botted or otherwise compromised hosts
40%
on your corporate network
Survey Respondents
25% DDoS attacks toward any externally
30% accessible services used by
customers/partners
25% Malicious insider
20% 13% DDoS attacks towards your service
infrastructure (mail, DNS, IRC)
10% 13% Advanced Persistent Threat (APT)
on corporate network
13% Under-capacity for Internet bandwidth
0% (due to DDoS or other specific event)
Figure 1 Source: Arbor
Source: Arbor Networks,
Networks, Inc. Inc.
Tools Used to Detect Threats
While many enterprise respondents use SNMP-based tools, flow analyzers and in-house
developed tools for DDoS protection, the vast majority (88 percent) rely on firewalls and
IDS devices for this purpose. This is most concerning because firewalls and IDS/IPS
devices are not designed to protect against DDoS attacks as these technologies are
located in line and actually are a potential bottleneck. In fact, their reliance on maintaining
session state makes them vulnerable to state exhaustion attacks that might escape
IDS and IPS DDoS protections. Combined with their inline deployment, this can cause
network outage or service issues.
ABOUT ARBOR NETWORKS
Arbor Networks is a leading provider
of network security and management
solutions for enterprise and service
provider networks. Our proven solutions
help grow and protect our customers’
networks, businesses and brands.
Awareness of the DDoS Threat in the Enterprise
Only 38 percent of enterprise respondents saw an increased awareness of the DDoS
threat in their organization, while half believe their C-level executives are not aware
of the threat DDoS attacks pose to Internet service availability. This may indicate that
the business impact of DDoS attacks has not yet been fully appreciated within some
organizations, despite the continued mainstream press coverage of such attacks.

Arbor’s unparalleled, privileged relation- Enterprise Risk Management and DDoS

ships with worldwide service and hosting
providers provide unequaled perspective
on Internet security and traffic trends
via ATLAS®, a unique collaborative effort
with 250+ network operators across
the globe sharing 35 Tbps of traffic
information that informs numerous
business decisions.
Developed annually, Arbor’s Worldwide
Infrastructure Security Report offers a
rare view into the evolving global threat
landscape based on a series of surveys
completed by network operators from
around the world.
On a more encouraging note, 50 percent of enterprise respondents confirmed that
DDoS protection is part of their business risk management process for Internet service
availability. This is in addition to traditional concerns such as fire protection, power
stability and physical access.
Traditional Tools and Services Used for DDoS Mitigation
Enterprise organizations have historically relied on their ISPs or perimeter devices (such
as firewalls and IPS) to address their DDoS attacks—or a combination of both. And while
these approaches should be a part of your layered security protection, they might not be
effective against the broader set of DDoS attacks. First, ISPs can—and often do—identify
and block large volume traffic attacks, providing the enterprise with a “clean pipe” of traffic
going into the data center. The challenge with relying solely on this for DDoS, is that low
and slow attacks aimed at the organization’s application layer could be missed. Further, it
can take the ISP up to an hour to begin mitigation, which can have devastating effects for
an enterprise that relies on its web applications for revenue.

With firewalls and IDS/IPS, DDoS attacks aimed at the application layer can be designed
to overwhelm the session state of these devices. Due to their inline deployment, over-
whelming session state can take these devices offline, rendering the network unavailable.

Priorities When Selecting a DDoS Mitigation Service

Enterprise respondents who evaluated DDoS mitigation services found the price of the
service and the mitigation capacity to be the two most important factors. Other consider-
ations were evenly split among: SLA for mitigation activation time, access to experienced
secure operations center (SOC) personnel, guarantee that redirected traffic stay in the
region, service provided by the local ISP, vendor equipment used and brand reputation
of the provider.
Corporate Headquarters
76 Blanchard Road As this report demonstrates, enterprise organizations are under constant attack from a
Burlington, MA 01803 USA variety of DDoS-type threats—and it is only expected to get worse throughout the year.
Toll Free USA +1 866 212 7267
In order to effectively address these attacks and protect the network from downtime,
T +1 781 362 4300 organizations need broad, flexible solutions designed specifically to protect availability.

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

© 2013 Arbor Networks, Inc. All rights

reserved. Arbor Networks, the Arbor Networks
logo, Peakflow, ArbOS, How Networks Grow,
Pravail, Arbor Optima, Cloud Signaling, ATLAS
and Arbor Networks. Smart. Available. Secure.
are all trademarks of Arbor Networks, Inc.
All other brands may be the trademarks of
their respective owners.
SR/REAL-WORLDWISR/EN/0113

IPv6 Migration: Progress, Strategies
and Security Risks
Highlights from Arbor Networks’ 2012 Worldwide Infrastructure Security Report
KEY FINDINGS
80% Have already deployed or plan
to deploy IPv6 within the next
12 months.
90% Rely on a dual-stack migration
strategy.
50% Lack visibility into IPv6 traffic.
74% Have either partial or full support
for IPv6 flow telemetry from
their network infrastructure.
42% Anticipate a 20 percent rise
in IPv6 traffic growth over the
next 12 months, while 25
percent expect more than
100 percent growth.
70% Rank traffic floods or other
DDoS attacks as the top
IPv6 security threat.
Arbor Special Report
The Arbor Networks® eighth annual Worldwide Infrastructure Security
Report offers a clear view into today’s network security threats and mitigation
techniques. The report is based on survey data from 130 network operators
and service providers around the world collected from October 2011 through
September 2012. This document summarizes the survey responses regarding
IPv6—providing insight into its accelerating rate of deployment and related
security issues.
IPv6 Quickly Becoming Pervasive
IPv6 deployments are accelerating. Nearly 80% percent of respondents have already
deployed or plan to deploy IPv6 within the next 12 months. Of those, just under one
quarter have completed their deployment of IPv6, with another 54 percent in process.
The rest are planning a deployment soon (Figure 1).
IPv6Deployment
Deployment Progress
IPv6 Progress
24% Yes, Deployment Complete
54% Yes, Deployment in Process
22% No, but Will Be Deploying Soon
Figure 1 Source: Arbor Networks, Inc.
Source: Arbor Networks, Inc.
Top IPv6 Migration Strategy
Over 90 percent of respondents are relying on a dual-stack strategy when migrating to
IPv6. This opens new opportunities for attackers to bypass network controls by switching
between IPv4 and IPv6 networks.
IPv6 Traffic Visibility
The majority of respondents indicated that getting visibility into the IPv6 traffic on their
network is critical. However, only one half of respondents have deployed a visibility
solution for IPv6 traffic.
ABOUT ARBOR NETWORKS
Arbor Networks is a leading provider
of network security and management
solutions for enterprise and service
provider networks. Our proven solutions
help grow and protect our customers’
networks, businesses and brands.
Arbor’s unparalleled, privileged relation-
ships with worldwide service and hosting
providers provide unequaled perspective
on Internet security and traffic trends
via ATLAS®, a unique collaborative effort
with 250+ network operators across
the globe sharing 35 Tbps of traffic
information that informs numerous
business decisions.
Developed annually, Arbor’s Worldwide
Infrastructure Security Report offers a
rare view into the evolving global threat
landscape based on a series of surveys
completed by network operators from
around the world.
To access the complete report, please
visit: www.arbornetworks.com/report
Survey Respondents
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300
Europe
T +44 207 127 8147
Asia Pacific
T +65 6299 0695
www.arbornetworks.com
© 2013 Arbor Networks, Inc. All rights
reserved. Arbor Networks, the Arbor Networks
logo, Peakflow, ArbOS, How Networks Grow,
Pravail, Arbor Optima, Cloud Signaling, ATLAS
and Arbor Networks. Smart. Available. Secure.
are all trademarks of Arbor Networks, Inc.
All other brands may be the trademarks of
their respective owners.
SR/IPv6MIGRATIONWISR/EN/0313
IPv6 Flow Telemetry Support
Seventy-four percent of respondents have either partial or full support for IPv6 flow
telemetry from their network infrastructure—up from 63 percent last year. Flow telemetry
is very important for scalable, cost-effective threat detection and visibility, so this change
is very positive.
IPv6 Traffic Growth
When considering projected IPv6 traffic growth, 42 percent of respondents anticipate
a 20 percent rise over the next 12 months, while 25 percent expect more than 100
percent growth.
Top IPv6 Security Concerns
This year the top perceived IPv6 security threat is traffic floods or other DDoS attacks,
with 70 percent of respondents concerned about this (Figure 2). Misconfiguration ranked
second, possibly due to longer addressing and relative unfamiliarity with IPv6. Last year’s
top concern—inadequate IPv6/IPv4 feature parity—dropped to the number three position.
This could indicate that infrastructure vendors are now delivering more IPv6/IPv4 feature
parity in their products.
IPv6 Security Concerns
IPv6 Security Concerns
70% 70% Traffic Floods/DDoS
62% Misconfiguration
60% 53% Inadequate IPv4/IPv6 Feature Parity
51% Stack Implementation Flows
51% Visibility, I Cannot See the Data Today
50%
47% Botnets
38% Host Scanning
40% 23% Subscribers Using IPv6 to Bypass
Application Rate Limiting
6% Other
30%
20%
10%
0%
Figure 2 Source:
Source: ArborArbor Networks,
Networks, Inc. Inc.
IPv6 Mitigation Capabilities
Access control lists (ACLs) remain the most popular attack mitigation technique for IPv6,
despite their operational and functional limitations. Intelligent DDoS mitigation systems
(IDMS) ranked second, with 63 percent of respondents planning to use IDMS to mitigate
IPv6 attacks—representing a 13 percent rise from last year. The percentage of respon-
dents who do not intend to mitigate attacks against IPv6 services has fallen drastically
from 20 percent to 8 percent. This is a clear indication that IPv6 services are becoming
more important to Internet operators.
Summary
IPv6 deployments continue, with dual-stack being the most common migration strategy.
Visibility into IPv6 traffic remains important to respondents, with nearly three quarters
having either full or partial support for flow telemetry from their infrastructure. However,
only half of respondents have an IPv6 visibility solution in place.
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

Analysis
December 7, 2012

TABLE OF CONTENTS

TOP TAKEAWAYS: DDOS PREVENTION WILL REACH $272M IN 2012 ....................................................... 1

MARKET SIZE AND FORECAST ANALYSIS: DDOS PREVENTION APPLIANCE REVENUE PASSES $70M IN
3Q12 ................................................................................................................................................... 2

LONG-TERM FORECAST: CARRIER TRANSIT MARKET LOSING SHARE TO MOBILE NETWORKS AND DATA
CENTERS.............................................................................................................................................. 3

GEOGRAPHIC ANALYSIS: NORTH AMERICA LEADS, APAC AND CALA GROW MOST ..................................... 5

MANUFACTURERS AND MARKET SHARE ANALYSIS: ARBOR NETWORKS MAINTAINS LEAD ........................ 7

TECHNOLOGY ROADMAP........................................................................................................................ 10

MARKET DRIVERS ................................................................................................................................. 11

DDOS RISK PROFILE .............................................................................................................................. 12

GOVERNMENT DRIVERS......................................................................................................................... 14

DEMAND-SIDE DATA.............................................................................................................................. 15

CATEGORY DEFINITIONS ........................................................................................................................ 16

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

i
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

LIST OF EXHIBITS

EXHIBIT 1 WORLDWIDE DDOS PREVENTION APPLIANCE QOQ AND YOY COMPARISONS ............. 2

EXHIBIT 2 WORLDWIDE DDOS PREVENTION APPLIANCE REVENUE BY DEPLOYMENT LOCATION 4

EXHIBIT 3 WORLDWIDE DDOS PREVENTION APPLIANCE REVENUE BY CATEGORY ..................... 5

EXHIBIT 4 DDOS PREVENTION APPLIANCE REVENUE BY GEOGRAPHIC REGION ......................... 6

EXHIBIT 5 DDOS PREVENTION WORLDWIDE QUARTERLY REVENUE MARKET SHARE ................. 8

EXHIBIT 6 DDOS PREVENTION BY CATEGORY WORLDWIDE QUARTERLY

REVENUE MARKET SHARE .................................................................................... 9

EXHIBIT 7 DDOS PREVENTION TECHNOLOGY ROADMAP .......................................................... 10

EXHIBIT 8 ANATOMY OF A DDOS ATTACK .............................................................................. 13

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

ii
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

TOP TAKEAWAYS: DDOS PREVENTION WILL REACH $272M IN 2012

Revenue for DDoS prevention appliances is expected to continue to grow over 20% annually for the next
three years, with a volatile mix of drivers continuing to interact, including:
• A never-ending onslaught of threat events, punctuated by the financial services attacks in
September 2012
• Rampant Internet traffic growth
• Growing enterprise demand for DDoS prevention solutions
• Data center consolidation, data center upgrades, and the rollout of cloud infrastructure
• Massive mobile network capacity upgrades
• Deployment of managed DDoS services

Key data points:

• Revenue will reach $271.8M in 2012, up 29% from 2011
• DDoS prevention spending in data centers will pass traditional carrier transport spending in 2012,
and the data center segment maintains a healthy 22% 2011–2016 CAGR.
• The mobile segment shows the most explosive growth (32.7% CAGR from 2011 to 2016) as it
rides the compound wave of a transition to IP and data, massive increases in capacity, and a new
role as a juicy and highly visible target for attacks.
• In 3Q12, North America accounted for 52% of DDoS prevention appliance revenue, followed by
EMEA and Asia Pacific, with 19.2% and 22.6%, respectively, and CALA coming in a distant fourth
at 6.5%, though CALA manages the highest growth from 2011 to 2016 as many carriers look to
deploy their first serious DDoS mitigation solutions.
• For 3Q12 total DDoS prevention appliance revenue, Arbor ranks first with 56.1% (up 1 point from
2Q12), followed by Radware at 8.9%.
• Major security vendors are integrating high-performance DDoS prevention into multifunction
products that will go head to head with mid-range offerings from the dedicated DDoS appliance
vendors; we haven’t seen a material impact of this integration yet, but it contributes to the
decreasing growth we forecast in later years (2015–2016).

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

1
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

MARKET SIZE AND FORECAST ANALYSIS: DDOS PREVENTION APPLIANCE REVENUE

PASSES $70M IN 3Q12
DDoS prevention appliances are the first line of defense for most service providers and large enterprises
around the globe looking to protect themselves from brute-force attacks on network or resource
availability, and with the unprecedented number, size, and coverage of DDoS attacks over the last 24
months, vendors who build DDoS prevention solutions have seen and continue to see a significant
increase in demand.

CY11 revenue was $210.6M, up 43% over CY10, and CY12 revenue is expected to be up another 29%
over CY11; strong growth continues in 2012 as attacks intensify (punctuated by a very deliberate set of
attacks aimed at US financial institutions in September) and the world works to pull itself out of a global
recession; 2012 worldwide revenue will likely be around $272M, which is nearly 30% above 2011.
Looking at the more recent quarterly market performance data, revenue was up 8.9% between 2Q12 and
3Q12 (the market totaled $70.7M in 3Q12), and revenue will grow 31.7%, to $93M by 3Q13. By CY16,
revenue will hit $485.6M, a 2011-2016 CAGR of 18.2%. The table below shows QoQ and YoY
comparisons for units and revenue.

Exhibit 1 Worldwide DDoS Prevention Appliance

QoQ and YoY Comparisons

DDoS Prevention Appliance Revenue and Units % Change

2011 vs 3Q12 vs
CY10 CY11 2Q12 3Q12 2010 2Q12
Revenue ($M) $147.2 $210.6 $64.9 $70.7 43.0% 8.9%
Units (K) 2.0 2.9 0.9 1.0 47.3% 8.0%

We cover broad market drivers later in this report, but put simply, the key drivers for increased investment
in DDoS prevention solutions include:
• The increasing volume of highly visible attacks, including a mix of politically motivated attacks, state-
sponsored electronic warfare, social activism, organized crime, and good old fashioned pointless mischief
and mayhem, driven by the easy availability of bots/botnets for hire and easily distributed crowd-sourced
attack tools (like LOIC, originally created by Anonymous to attack the Church of Scientology)
• Internet traffic growth, which has driven major carriers to upgrade their backbone infrastructure
to increase capacity, driving a need for increased capacity DDoS prevention solutions
• Enterprise demand for DDoS prevention solutions, either fulfilled by rolling out their own
protection infrastructure, or buying managed services from providers who consume prevention
solutions and build services for the end customer
• Data center consolidation, data center upgrades, and the rollout of the cloud infrastructure that will
underpin the next generation of cloud services; large data centers and cloud providers are highly visible
targets who must protect their own infrastructure and the customers who trust them to host data and
applications

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

2
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

• Mobile network upgrades, which many mobile providers are making to deliver 3G and 4G services
and meet the demand for broadband data for mobile devices, are forcing providers to add new layers
of network protection and increase their overall security processing capacity; backhaul networks
alone are adding orders of magnitude more capacity, driving the need for new DDoS solutions
• Managed DDoS mitigation services; in addition to purchasing DDoS solutions to protect their own
infrastructure, many carriers around the globe are buying DDoS products to build out managed
services for their customers, and specialized hosted DDoS service providers (like Prolexic) are
gaining popularity with enterprise customers looking for DDoS prevention but lacking the expertise or
capital to deploy their own

In the July 2012 edition of this report, our forecast for 3Q12 was $66.2M; 3Q12 actual was $70.7M, which is
6.8% above our forecast. Looking at the long-term forecast, our initial 2016 forecast was $421.6M, which we
have increased by 15.2% to $485.6M. This is only our second edition of this bi-annual report and we continue to
tune our forecast model. We’re not expecting to make significant changes (more than 5%) in the next edition of
the report.

LONG-TERM FORECAST: CARRIER TRANSIT MARKET LOSING SHARE TO MOBILE

NETWORKS AND DATA CENTERS
Exhibit 2 shows annual revenue for the DDoS prevention appliance market split by the four deployment
locations we track, as well as the year-over-year growth for the total market (the red line). The DDoS
prevention appliance market will get a great push through 2016, maintaining double-digit annual
increases through our entire forecast.

Though vendors don’t directly report revenue by deployment location, they do provide good guidance,
and we estimate the rest based on discussions with their customers and channel partners. The traditional
carrier transport market (which leading vendor Arbor has dominated for nearly a decade) is currently the
largest market by deployment location, but it has the lowest 2011 to 2016 CAGR (8.6%). The data center
segment (enterprise and carrier, including hosted DDoS service environments) will pass carrier transport
in 2012 though, and maintains a healthy 22% 2011 to 2016 CAGR. Enterprise deployments have grown
particularly well in 2012 for several key vendors (including Arbor, who noted that they sold more of their
enterprise mitigation solution in North America in the first year of its availability than they sold of their
service provider mitigation solution its first year).

The mobile segment shows the most explosive growth (32.7% CAGR from 2011 to 2016) as it rides the
compound wave of a transition to IP and data, massive increases in capacity, and a new role as a juicy
and highly visible target for attacks. Mobile carriers are interested in protecting their networks as well as
understanding what’s flowing across them, driving many to look at a combination of DDoS and
standalone DPI solutions (which we track in our Service Provider Deep Packet Inspection Products
service). Arbor alone announced mobile deployments at SK Telecom, Hunan Mobile, and Star Hub in the
last 6 months.

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

3
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

Exhibit 2 Worldwide DDoS Prevention Appliance

Revenue by Deployment Location

$250 50%

45%

$200 40%

35%

$150 30%
Revenue (US$M)

25%

$100 20%

15%

$50 10%

5%

$0 0%
CY09 CY10 CY11 CY12 CY13 CY14 CY15 CY16

Data center Carrier transport Mobile Government Revenue growth

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

4
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

The next chart shows the same segments as the annual forecast chart above, but expresses the data in
terms of market share by segment. As discussed already, the inflection point between carrier transport
and data center spending is this year, and mobile spending is making the impressive gain, though starting
from a significantly smaller base.

Exhibit 3 Worldwide DDoS Prevention Appliance Revenue by Category

50%

40%
Percent of Revenue

30%

20%

10%

0%
CY09 CY10 CY11 CY12 CY13 CY14 CY15 CY16

Carrier transport Data center Government Mobile

GEOGRAPHIC ANALYSIS: NORTH AMERICA LEADS, APAC AND CALA GROW MOST
In 3Q12, North America accounted for 52% of DDoS prevention appliance revenue, followed by EMEA
and Asia Pacific, with 19.2% and 22.6%, respectively; CALA came in a distant fourth at 6.5%. The next
chart shows the annual data for geographic distribution; the general trend is a gradual decrease (in share)
in North America as other regions increase (as North America is several years ahead of the rest of the
world investing in DDoS prevention solutions). CALA manages the highest 2011 to 2016 CAGR of the
regions covered in the report, sitting at 52.6%. There are significant infrastructure upgrades happening in
the carrier market in CALA, and in many cases carriers are investing in their first serious DDoS mitigation
solutions, driving the strong growth we see in that region.

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

5
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

The largest vendor in this market (Arbor) is based in the US, but there are regional vendors serving
enterprises and service providers in their home regions primarily, including GenieNRM in APAC and
Andrisoft and Radware in EMEA. Though these vendors are significantly smaller than Arbor and some of
the other North American vendors, we expect long-standing relationships and the desire to acquire
security solutions in-region (particularly in APAC) could drive stronger growth for these vendors over the
next 2 years.

Exhibit 4 DDoS Prevention Appliance Revenue by Geographic Region

60%

50%

40%
Percent of Revenue

30%

20%

10%

0%
CY09 CY10 CY11 CY12 CY13 CY14 CY15 CY16

North America EMEA APAC CALA

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

6
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

MANUFACTURERS AND MARKET SHARE ANALYSIS: ARBOR NETWORKS MAINTAINS

LEAD
For 3Q12 total DDoS prevention appliance revenue, Arbor ranks first with 56.1% (up 1 point from 2Q12),
followed by Radware at 8.9% and Narus at 7.1%, respectively; GenieNRM and Andrisoft round out fourth
and fifth with 3.1% and 0.3%, respectively. There are other major vendors in this space whose share we
aren’t reporting yet, including Cloudshield, Intruguard, RioRey, and Corero (formerly Top Layer); as this
service continues we expect to be able to break out revenue for those vendors as well. That said, Arbor is
the clear leader in this market, and has maintained dominant market share for years; though as we’ll see
in the discussion of market share by deployment location, there are openings for share change.

The overall performance of this market and the vendors in it will be challenged by the widening availability
of hosted/SaaS solutions (though providers who offer them have to acquire mitigation technology to run
their services), and the introduction of new integrated platforms that include DDoS prevention as a
feature. Arbor and Alcatel Lucent announced a combined offering in January 2012 that couples ALU
routers and a specialized DDoS mitigation blade from Arbor, and though Arbor will recognize revenue for
this service, it’s unclear how the availability of an integrated product affects the long-term growth potential
for their standalone products. Another vendor, F5, launched a specialized data center firewall product
based on their BigIP traffic management platform, and DDoS prevention is one of the cornerstone
features of this product.

We expect other major security vendors to build and offer data center specialized security platforms that
will integrate high-performance DDoS prevention, and these products will likely go head to head with mid-
range offerings from the dedicated DDoS appliance vendors. We haven’t seen a material impact of these
integration trends on the standalone DDoS prevention market yet, but parallel markets (particularly
standalone IPS and standalone web/mail security, markets that are both plateauing right now) form the
basis for the decreasing growth we forecast in the later years (2015/2016).

The percentage of units and revenue currently tracked in the "other" category is roughly 25%, primarily
because we’re not yet breaking out share for the vendors listed above (all private companies).

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

7
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

Exhibit 5 DDoS Prevention Worldwide Quarterly Revenue Market Share

70%

60%

50%
Percent of Revenue

40%

30%

20%

10%

0%
1Q11 2Q11 3Q11 4Q11 1Q12 2Q12 3Q12

Arbor Narus Radware GenieNRM Andrisoft

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

8
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

The table below shows the top three vendors in each of the deployment location segments we track in
this report. Arbor leads overall, but their lead is less dominant once we look beyond the carrier transport
sub-market. They have significant share in data center as well, and addressed a product hole with the
release of their Pravail APS solution, but several other vendors (including Intruguard and RioRey, not
shown in this table) have a strong focus on data center and good share position in that segment. Arbor
has not focused on government business, and even with their dominant lead in the market overall, they
don’t come up as the leader for government spending on DDoS prevention solutions in 3Q12. They’re
focusing on higher-growth opportunities like mobile and data center, and though that seems like a good
call overall, government customers tend to be loyal, and government contracts last a long time.

Exhibit 6 DDoS Prevention By Category

Worldwide Quarterly Revenue Market Share

Worldwide DDoS Prevention Appliance

Revenue Market Share (%)
4Q11 1Q12 2Q12 3Q12 CY10 CY11
Carrier transport and wired broadband
Arbor 74.2% 72.9% 68.4% 70.6% 72.1% 76.6%
Radware 6.0% 6.2% 9.3% 8.0% 7.7% 5.4%
GenieNRM 2.8% 3.0% 3.3% 3.1% 2.8% 2.7%
Enterprise and carrier data centers
Arbor 59.4% 59.1% 55.1% 57.1% 53.5% 60.6%
Radware 4.5% 4.5% 6.1% 5.8% 7.1% 4.5%
GenieNRM 1.1% 1.1% 1.1% 1.2% 1.3% 1.2%
Government networks
Arbor 20.1% 15.1% 19.1% 13.7% 14.4% 18.3%
Narus 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%
Radware 14.5% 15.0% 21.6% 18.1% 21.7% 15.2%
Mobile networks
Arbor 50.6% 50.9% 51.2% 48.2% 29.8% 47.2%
Narus 3.9% 3.5% 3.0% 3.4% 6.4% 4.1%
Radware 11.0% 10.1% 14.4% 12.7% 20.2% 11.5%

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

9
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

TECHNOLOGY ROADMAP

Exhibit 7 DDoS Prevention Technology Roadmap

Up to 2001 2002-2008 2009-2012 2013 a nd Beyond

First major public
attack hits Yahoo!
in 2000; specialist
products emerge in
2000/2001
Specialist providers continue developing
platforms; Arbor grabs majority of
SP/transport market; news of major
attacks slows and there's little interest
in development of new standalone
solutions
2009-2012 the busiest period in history for
DDoS attacks; availability of eas y-to-use tools,
and politically, socially, and financially
motivated attacks bring DDoS to the forefront
Consolidation of data centers, buildout of cloud
infrastructure, and rapid expansion of mobile
networks drive the need for DDoS solutions for
those environments; new vendors enter the
market with solutions targeting more than the
traditional transport network bus iness
Network/security product manufacturers embed DDoS into firewalls/IPS/routers
Prolexic Technologies is founded in 2003; develops a hosted DDoS solution for online
gambling sites; builds out hosted solution offering to make DDoS prevention available to
customers of all sizes
Capacity requirements
force carriers to buy
dedicated s olutions, but
down-market demand
drives hosted services,
integrated solutions, and
low-end/virtual appliances

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

10
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

MARKET DRIVERS
The state of the global economy factors into all of our forecasts, and our take on the overall health of the
economy and its impact on enterprise and service provider spending can be found in Fundamental Telecom-
Datacom Market Drivers, a PDF available in Infonetics Research's service portal section for this report.

Without a doubt, the number-one driver for the DDoS prevention market is the attacks themselves. Most
major vendors operate threat labs and publish regular reports on threats, and the threat landscape is
getting bigger, more complex, and scarier at an alarming rate. From the September ’12 US bank attacks
to the Iranian elections, Wikileaks, and the Anonymous army attacking anything with a whirring fan, DDoS
attacks have been big news for the last two years. The rise of botnets and easy-to-use tools (like LOIC)
for launching attacks means that there are more DDoS attacks pushing greater volumes of traffic, initiated
by a wider variety of attackers than ever before. There is no indication that the pace of innovation in the
creation of attacks and the ingenuity that drives the distribution of those threats will ever slow down, and
so prevention solutions need to continue to evolve as well

Many service providers worldwide are financially healthy despite a harsh global economy, and are
building out networks to support massive increases in data and IP traffic. New network buildouts drive the
need for new security investment, and demand in data centers and mobile backhaul networks in particular
is driving significant spending in new high-end security solutions for a wide variety of protection
mechanisms, including DDoS prevention. Service providers have the largest infrastructure to protect, and
directly touch the end customers, and as a result service provider networks see most of the DDoS attack
traffic, and providers represent the bulk of the spending on DDoS prevention products.

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

11
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

The move toward cloud-based solutions and SaaS the security market, which gained mainstream
attention with Google's acquisition of Postini in 2007, has already been a key driver for the deployment of
DDoS appliances. Many small, medium, and even large enterprises, and many small to medium service
providers (particularly hosting providers) don’t have the money or resources to build their own DDoS
prevention infrastructure. In 2003, Prolexic Technologies was founded with the aim of providing cloud-
based DDoS protection for the online gaming market (one of the favorite targets of DDoS attacks at the
time), and has since evolved into a full-service hosted DDoS service provider selling to enterprises and
service providers alike. While on the surface, solutions like the one Prolexic offers would appear to cut in
to the market for appliances, the truth is that hosted solutions are always built on underlying technology
that is often built and sold by the vendors tracked in this service.

DDOS RISK PROFILE

There are three basic types of issues form the risk profile that most enterprises and service providers use
to determine when (and how much) to invest in a given security solutions. The ability of a solution to
address these risks is the primary determining factor in the financial success and long-term viability of the
commercial market for that solution. The three categories of risk are:
• Loss of data is the first risk category; typical data-loss prevention solutions range from data
encryption to intrusion prevention and access control. For an organization to invest in security to
prevent loss of data, they must have valuable data to protect, and they must understand the
monetary value of that data; as a result, investing in security to prevent data loss is a priority for a
subset of all organizations around the world.
• The second risk category includes regulatory or compliance repercussions for not protecting
electronic assets; in the absence of regulations or compliance, many companies may not choose
to invest in security solutions for their valuable data; many vertical markets are affected by
regulations (such as healthcare and finance), and there are other regulations that impact broader
groups of organizations (PCI, SOX, or GLBA in the US). Even non-regulated industries can face
compliance issues that impact security spending, as many companies are required to
demonstrate a certain level of security for business licensing or insurance purposes; regardless,
the threat of repercussions for not being compliant drives many organizations around the globe to
invest in network security.
• The final risk category is the negative impact of availability/downtime problems; in our 2007
study The Costs of Network Security Attacks: North America 2007 we found that organizations
lose an average of 0.5% to 2.5% of annual revenue due to security-related downtime. When
online retailers go down, they lose revenue; when trading systems are attacked and traders
cannot trade, they lose revenue. Businesses that have their websites defaced or forced out of
commission can suffer intangible damage associated with brand and image. This risk is
horizontal, as companies of all type and size are plagued by downtime associated with security
attacks regardless of the value of their data or regulatory or compliance requirements.

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

12
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

DDoS prevention is only peripherally involved in protecting against loss of data, and as for
regulatory/compliance requirements, in cases where availability is mandated as part of the regulation,
then a DDoS solution can be deployed, but where DDoS really matters is loss due to downtime/lack of
availability. DDoS attacks, are by name, an attempt to deny a service; that can be any number of
services, denied for any purpose an attacker can dream up. The diagram below shows the basic structure
of a DDoS attack.

Exhibit 8 Anatomy of a DDoS Attack

DDoS attacks are simple: flood a resource with traffic until that resource overloads and becomes non-
functional. Some attacks require vulnerabilities in the end system, while others simply require brute force.
The availability of rental botnets and simple tools has made it simple for anyone to launch an attack, and
the scale of the attacks is growing rapidly. Most of the technical innovation in DDoS prevention is around
meeting the ever-increasing performance requirements driven by large attacks.

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

13
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

In November 2011, Prolexic released information on an attack that they mitigated, saying that the attack
targeted an e-commerce platform of a customer in Asia, and they estimated the attack was launched by
250,000 bots, which were making 15,000 connections per second and swamping the platform with 45G of
traffic. Arbor has gone on the record to state that they observed an attack in 2010 that peaked at over
100G in traffic. In their 2011 Infrastructure Security report, Arbor (who has a great view of DDoS attack
data and co-operation from most large carriers) reported a few very telling findings:
• Hacktivism and vanadalism were the most common DDoS attack motivators in 2011
• 10G attacks are fairly normal, and the largest attack noted during the survey period was 60G
(down from 100G in the previous year); the peak went down a little, but the average attack got
larger
• Attacks at the application layer are becoming more common, and more attacks use multiple
vectors
• IPv6 attacks have been seen in the wild
• Most application layer DDoS attacks still target HTTP and DNS
• Nearly half of the service providers they surveyed said that stateful firewalls and/or IPS products
have failed as a direct result of a DDoS attack

Though transport networks have been the core customers for DDoS prevention solutions in the past,
large data centers and the new massive mobile data infrastructure being built around the globe will be
clear targets and well, and will require solutions with incredible performance capabilities.

GOVERNMENT DRIVERS
Government transport networks and data centers are a relatively small but key segment of the DDoS
prevention market, and many politically motivated attacks have been, and will continue to be aimed at
government resources. As such, we look at overall government spending in security in the US and abroad
as a way to track potential spending for DDoS prevention solutions.

The Cybersecurity act of 2012 (CSA2012) was defeated in the US Senate in August of 2012, and though
the lack of government mandated security controls in the private sector has ramifications for the security
product and service industry, the bill is likely to be retooled (with some changes to privacy stipulations)
and re-introduced. Regardless of the status of CSA2012, the US federal government has a huge impact
on security spending, and it appears that a tense election environment dampened what is typically a
massive spending quarter (3Q is fiscal year-end for the government), with many vendors reporting lower-
than-expected government revenue in 3Q12.

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

14
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

Looking at the 2012 US federal budget, the Homeland Security Department wants $936M in 2012, down
slightly from the $1.07B requested in 2011. The total federal security budget is hard to get a handle on,
because it comes from many funding sources and is included in many initiatives. Other key departments,
like the DOD, are increasing spending on security even as they look to decrease overall spending (with
$3.4B being funneled through the Air Force to strengthen the US Cyber Command). This trend that
mirrors behavior in many IT shops around the globe. The 2013 budget includes a request for new money
for cybersecurity research, with the expectation that a significant portion of the $140M R&D budget will be
earmarked for security research.

The US government has been hard at work updating cyberspace security policies, and made a critical
symbolic statement: in July of 2011, the US Defense Department stated that cyberspace would be added
as a fourth “operational domain” for the US military (the other three operational domains are air, land, and
sea), and that the military will train special forces and add new technology to defend the United States
from cyber attacks. Along with all the mainstream coverage of threat events, this broad statement from
the military elevates the visibility of threat issues and helps ensure that the military, government, and
private institutions will continue to make significant investments in security technology.

In addition to spending their own money, the federal government is pushing to have civilian agencies,
such as the Department of Agriculture, follow new regulations based on practices at the Department of
Defense and Central Intelligence Agency. They laid out the requirements in a document called
“Recommended Security Controls for Federal Information Systems,” and highlights include:
• Civilian agencies will be required to segment information assets into 3 main risk categories (low,
moderate, and high) and follow procedures to protect them
• Agencies are asked to endorse a preference for vendor products tested under Common Criteria
guidelines
• Shareware and freeware would be prohibited in many cases, as would the use of instant
messaging on public networks or remote access via dial-up
• Agencies deemed to have moderate-risk information assets might have to buy new products,
such as security gear to prevent denial-of-service attacks

DEMAND-SIDE DATA
We verify our supply-side forecasts with our demand-side research, and work closely with vendors,
service providers, chip and component manufacturers, and the channel to gather and validate actual data
and market trends. This gives us a thorough, accurate picture of the market. We collected the following
demand-side data over the last 12–18 months, which rounds out our VPN and firewall revenue and
shipment data collection.

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

15
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

In Data Center Security Strategies and Vendor Leadership: North American Enterprise Survey, our March
2012 survey of 101 medium and large organizations in North America that operate their own data centers,
we found that:
• 60% are driven to deploy new security solutions by the need to upgrade to high speed network
interfaces on their security appliances to match the upgrades that have happened in their
switching infrastructure; 57% are driven by the need for security solutions with aggregate
performance that matches their data center network performance.
• Though there has been significant discussion of DDoS attacks aimed at just about everyone (with
data centers bearing the brunt), protection against new DDoS attacks isn’t high on the list of
drivers for buying new solutions, though it’s very likely that the increasing throughput and
sustained nature of many current DDoS attacks is forcing performance upgrades to existing
DDoS protection systems.
• Nearly half of respondents indicate they already have a need for 40G ports on security gear now,
and 47% say they’ll need 100G interfaces by 2014.
• Respondents expect to increase spending on data center solutions 58% on average from 2011 to
2012.
• Cisco, Symantec, and McAfee all have strong brand awareness among data center buyers.

CATEGORY DEFINITIONS
Below are the definitions for the equipment included in this service. Please also see Methodology in the
market size/share/forecasts Excel file, located in the service portal section for this report.

DDoS appliances: Appliance platforms purpose built for detecting and stopping denial of service attacks
of all types
Deployment definitions
• Enterprise and carrier data centers: DDoS appliances deployed to protect private enterprise
data centers, managed DDoS service environments, carrier data centers, and IDC/cloud
environments
• Carrier transport and wired broadband: DDoS appliances deployed to protect wired carrier
transport and broadband networks
• Mobile networks: DDoS appliances deployed within mobile networks to protect against a
wide variety of attacks on mobile networks and supporting infrastructure, including all mobile
infrastructure devices, DNS servers, web portal and SMTP servers, Diameter servers, GTP
tunnels, and SMS gateways
• Government networks: DDoS appliances deployed in government transport networks and
data centers (including state and federal)

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

16
 DDoS Prevention Appliances
Biannual Worldwide and Regional Market Share and Forecasts: 2nd Edition

Analyst Contact

Jeff Wilson
Principal Analyst, Security
408-583-3337
[email protected]

Gray shading denotes analysis updated since June 7, 2012

This is a paid service intended for the recipient organization only; reproduction and sharing with third parties is prohibited.

Copyright © 2012 by Infonetics Research, Inc. All rights reserved.

17
 Arbor Application Brief

Handling Mobile Network

Threats with Arbor Solutions
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network
security and management solutions for enterprise and
service provider networks, including the vast majority
of the world’s Internet service providers and many of the
largest enterprise networks in use today. Arbor’s proven
network security and management solutions help grow
and protect customer networks, businesses and brands.
Through its unparalleled, privileged relationships with
worldwide service providers and global network operators,
Arbor provides unequalled insight into and perspective on
Internet security and traffic trends via the ATLAS® Active
Threat Level Analysis System. Representing a unique
collaborative effort with 250+ network operators across
the globe, ATLAS enables the sharing of real-time security,
traffic and routing information that informs numerous
business decisions.
 Arbor Application Brief: Handling Mobile Network Threats with Arbor Solutions

Table of Contents
Today’s Mobile Network Threat Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Malicious Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Non-Malicious Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Traditional Security Solutions May Not Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

So What’s the Solution?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Use Case #1: Protection from Internet-Sourced DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Using Peakflow® SP & Peakflow® SP TMS on the Gi/SGi Interface of GGSN/PGW to Mitigate DDoS Attacks . . . . . . . . . . . . . . . 6
Using Pravail® APS in the Mobile Network’s Internet Data Center to Proactively Mitigate Application-Layer Attacks . . . . . . . . . . . 6
Use Case #2: Rate-Limiting a Mobile Application Retry/Recovery Storm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1
Arbor Application Brief: Handling Mobile Network Threats with Arbor Solutions

Today’s Mobile Network Threat Landscape

Fueled by their subscribers’ insatiable Failure to do so can result in service level agreement (SLA)
credits, damage to brand reputation and customer churn—
demand for smarter mobile devices all of which impact the top and bottom lines of their business.
It is imperative that MNOs have solutions in place to proac-
and multi-media content, mobile network
tively recognize traffic patterns that threaten the availability
operators (MNOs) have seen tremendous and performance of their mobile network infrastructure and
services. This application brief documents some of the current
growth in mobile traffic on their networks. and emerging threats to mobile networks.
Along with this growth, MNOs face the It also provides real-world use cases
ever-increasing challenge of maintaining of how MNOs are using Peakflow® and
Pravail® solutions from Arbor Networks to
the availability and performance of their protect their mobile networks and services
mobile network and services to enhance from both malicious and non-malicious
threats to service availability.
their customers’ quality of experience.

Malicious Threats
As expected, wireless access to the Generally, this wrongful activity has two main impact points.

Internet has garnered the attention of 1. End-User Mobile Devices

miscreants who now see this as a signifi-
cant opportunity for malicious activity.
Short Message Service (SMS) toll fraud, SMS phishing
(SMSishing) and mobile malware are examples of how a
miscreant can use the latest mobile devices (i.e., smartphones,
tablets) or end-users themselves to lure victims to bogus Web
sites or services, where they can be exploited for the attacker’s
financial gain.

2. MNO’s Infrastructure and/or Services

Distributed denial of service (DDoS) attacks can have a direct
impact on targeted infrastructure, or they can impact infrastruc-
ture (and available capacity) simply due to the increased traffic
volume or session load. DDoS attacks can lead to poor network
performance, impact many subscribers’ services, damage brand
reputation and even cause customer churn.

2
 Arbor Application Brief: Handling Mobile Network Threats with Arbor Solutions

End Devices/ Wireless Aggregation/ Mobile Packet Core Internet Data Center Private/Public Internet
User Traffic Backhaul
MSC/
HLR PSTN
Impact
3G Network

RNC
luPS Gn Service Portals, DNS,
(BSC) Content Control, AAA Internet
SGSN GGSN Gi
NodeB Backbone
(BTS)
MME Impact Impact

4G(LTE) Network
SGi

S1 S5

SGW PDN GW
eNodeB
Threats Threats from
from mobile fixed Internet
devices
FemtoCell Gp
(WiFi)
Other MNO Private
IPSec Internet luH
(GRX/IPX) Network
HNB Customer Services

Threats against the mobile network infrastructure come from the wired and wireless side of the network.

In mobile networks, DDoS attacks can be sourced
from the Internet or from mobile service users.
From the Internet
These attacks have been around for a number of years. For
example, botnets composed of thousands of compromised PCs
on the Internet can launch DDoS attacks against the mobile
network infrastructure. These types of attacks impact the state
tables in firewalls, the performance of GGSNs or the availability
of services running in mobile network data centers including
Domain Name System (DNS) infrastructure, Web portals, etc.
There’s more than anecdotal evidence that these threats are
occurring and having an impact on mobile networks and the
services they provide. For example, a 2012 Heavy Reading
Mobile Network Security survey of MNOs indicated that over
40% experienced an outage of more than four hours as a
result of a malicious network security attack, up from 31% in
2011. When asked which parts of their mobile network were
being impacted by DDoS attacks, the top two areas identified
were services (i.e., DNS, SMSC and MMSC running in mobile
network data centers) at 39% and data and signaling
gateways (i.e., GGSN, SGSN) at 39%.

From Mobile Users/Devices

MNOs are starting to face threats on their mobile network from
their own subscribers or devices. With the growth in app stores
and mobile applications—many of which do not have any sort of
security oversight or control—compromised devices connected
to the mobile network (i.e., smartphones, tablets, M2M, laptops
using 3G dongles) are participating in botnets and launching
DDoS attacks from the wireless side of the mobile network.
These types of threats consume precious radio spectrum and
capacity on shared radio access network (RAN) infrastructure
and can impact overall network performance.

3
Arbor Application Brief: Handling Mobile Network Threats with Arbor Solutions

Non-Malicious Threats
Not all threats to mobile network and service performance and availability are malicious
in nature. Mobile applications or “mobile apps” are the reason why the amount of mobile
data traffic continues to increase. MNOs have little to no control over which mobile apps
their subscribers install and use. To make matters worse, many mobile apps do not take
into account that they communicate over networks that operate differently from traditional
fixed-line IP networks—especially during recovery scenarios.

This can cause major problems when popular mobile apps, The 2012 Heavy Reading report on mobile network security
used by millions of subscribers, undergo maintenance or indicates that these events are relatively common today as
encounter issues. For example, when a critical component of 61% of MNOs have experienced an outage due to mobile
a social media application (i.e., a core communication server) application anomalies.
becomes inaccessible, it can cause subscriber devices or
servers to initiate a retry/recover routine that can trigger huge It is imperative for MNOs to detect and
spikes in mobile data and control-plane traffic. Such a traffic stop these traffic anomalies before they
storm, though not malicious in nature, looks and acts like a affect their network and subscribers’
DDoS attack on a mobile network because it affects all mobile quality of experience.
subscribers, not just the users of this particular application.

Traditional Security Solutions May Not Help

In general, there are two approaches An MNO’s best approach is to develop a network-based
solution. Unfortunately, many MNOs rely on traditional
to mobile network security today: deploy network-based security products such as Firewalls or Intrusion
Prevention Systems (IPS) to protect their mobile network
protection on 1) the user device or
infrastructure and services from threats. In many cases,
2) the network. As many MNOs recognize, these devices will not recognize or stop threats such as
DDoS attacks. In fact, in some cases, these traditional security
deploying security solutions on subscriber devices can make matters worse. For example, devices such
devices is extremely difficult since MNO’s as firewalls running carrier-grade network address translation
(NAT) maintain significant state on each user connection.
have little control. The amount of state a device can maintain is finite and these
devices will experience session or state-exhaustion issues
when dealing with certain types of DDoS attacks involving
Transmission Control Protocol (TCP) connections.

4
 Arbor Application Brief: Handling Mobile Network Threats with Arbor Solutions
So What’s the Solution?
The solution is to deploy stateless DDoS
protection technology that has the capability
to recognize and stop mobile network
anomalies and threats before they impact
network performance and service availability.
Such solutions can easily be deployed in
two network locations: the Gi/SGi interface
of the GGSN/PGW and mobile network
data centers.
Mobile
Packet Core
GGSN
Impact
SGi
PDN GW
Legitimate Traffic
DDoS Attack Traffic
The following use cases document how organizations can use
Peakflow and Pravail solutions from Arbor Networks to help
protect the availability of the mobile network and services.
Use Case #1: Protection from Internet-Sourced
DDoS Attacks
In this scenario, an attacker is generating a large DDoS attack
towards a mobile operator’s network infrastructure, using hosts
distributed around the Internet. The actual target of
the DDoS attack may be a server or service located in the
mobile operator’s Internet data center (e.g., DNS, HTTP or
voice), a critical component of the mobile network infrastruc-
ture (e.g., GGSN/PGW, firewall) or a mobile subscriber. In any
case, these attacks can have significant impact on network
performance and end-user quality of experience.
Internet Data Center Private/Public Internet
Impact
Internet
Service Portals, DNS,
Content Control, AAA
Gi
Backbone
Private
Network
Customer Services
Internet-sourced DDoS attacks.
Two Arbor solutions can help stop this sort of threat:
1. Peakflow SP together with Peakflow SP Threat
Management System (“Peakflow SP TMS”) on the
Gi/SGi interface of the GGSN/PGW.
2. Pravail Availability Protection System (“Pravail APS”)
in the mobile operator’s Internet data center.
5
Arbor Application Brief: Handling Mobile Network Threats with Arbor Solutions

Using Peakflow SP & Peakflow SP TMS Mobile Internet Data Center Private/Public Internet
Packet Core
on the Gi/SGi Interface of GGSN/PGW
to Mitigate DDoS Attacks
In this scenario, Peakflow SP monitors flow
Peakflow SP (TMS 4000)
telemetry from the fixed backbone and peering Internet
Service Portals, DNS,
routers located at or near the Gi/SGi interface Content Control, AAA
of the GGSN/PGW. Once Peakflow SP detects GGSN Gi
the anomalous traffic caused by a DDoS attack, Backbone
the system alerts the MNO and automatically
reroutes the legitimate and attack traffic to
Peakflow SP TMS, where the attack traffic is
SGi
“scrubbed” and good traffic re-injected back Peakflow SP (CP5500)
into the network towards its original destination.
PDN GW
The result is threat mitigation that preserves
the availability and performance of the NATs,
GGSN/PGW and services that were targeted Private
Legitimate Traffic Network
or impacted.
DDoS Attack Traffic Customer Services

Using Pravail APS in the Mobile Network’s Peakflow SP TMS removes attack traffic.
Internet Data Center to Proactively Mitigate
Application-Layer Attacks
In this scenario, Pravail APS is deployed at the
perimeter of the Mobile Network Operator’s Mobile Internet Data Center
Internet data center where content optimization/ Packet Core Legitimate Traffic
filtering, DNS, etc. are located—more specifically, Application-Layer Attack
in-line, before a firewall or IPS if one is in place.
Though Pravail APS is designed to detect and Service Portals, DNS,
Content Control, AAA
mitigate both network and application-layer DDoS
attacks, in this scenario it is primarily used to Private/Public Internet
IPS
proactively block “low and slow” application-layer
attacks (that could be sourced either from the
wired or wireless devices) against the services Internet
GGSN
Gi
running in the data center (e.g., DNS, VOIP,
multi-media).
Pravail APS Backbone
The combination of Peakflow SP and Peakflow
SP TMS on the Gi/SGi interface of GGSN/PGW
SGi
to block large volumetric DDoS attacks against
the mobile network infrastructure and Pravail APS
in the mobile network data center to proactively PDN GW
block application-layer DDoS attacks against
mobile services provides a more comprehensive
DDoS protection solution for the mobile Pravail APS stops application-layer DDoS attacks.
network operator.

6
 Arbor Application Brief: Handling Mobile Network Threats with Arbor Solutions

Use Case #2: Rate-Limiting a Mobile The MNO configured Peakflow SP to analyze flow telemetry
Application Retry/Recovery Storm from the fixed backbone and peering routers. Peakflow SP
determined the normal rate of TCP FIN/ACK communication
As noted earlier in this document, not all threats to a mobile
between the application’s servers and end-user devices. All
network are intentional or malicious in nature. Such is the case
traffic from the servers was also redirected to Peakflow SP
in this scenario, where a popular mobile messaging application
TMS using policy-based routing (PBR) at the border routers
was severely affecting the performance of an MNO’s network.
(on the Gi interface of the GGSN). When Peakflow SP
Occasionally, communication to the application’s servers
detected an abnormal rate of TCP FIN/ACK communication
would be lost. The end-user devices and servers would initiate
from the application servers, it would alert the mobile operator
a recovery process to regain contact with the servers. This
and enable the rate-limiting countermeasure on Peakflow SP
resulted in traffic similar to a TCP-flood DDoS attack on the
TMS to control the FIN/ACK packets from the application
mobile network, severely affecting performance for all mobile
servers (to the predetermined value). This in turn limited the
subscribers. After unsuccessfully trying to work with the
number of retries from the mobile devices, resulting in reduced
developers of the application, the MNO decided to take
impact to mobile network performance.
matters into its own hands.

End Devices/ Wireless Aggregation/ Mobile Packet Core Private/Public Internet

User Traffic Backhaul

Recovery 3G Network Internet

Storm
RNC
(BSC) luPS Gn

SGSN GGSN Gi Recovery

NodeB Storm
(BTS) Impact
Connectivity
Loss

4G(LTE) Network Backbone

SGi
Recovery S1 S5 Third Party
Storm
Application Provider
SGW PDN GW
eNodeB

Customer Services

Popular Mobile “Apps” in the midst of a recovery storm act like DDoS attacks on a mobile network.

7
Arbor Application Brief: Handling Mobile Network Threats with Arbor Solutions

End Devices/ Wireless Aggregation/ Mobile Packet Core Private/Public Internet

User Traffic Backhaul

3G Network

RNC Peakflow SP (TMS 4000) Internet

(BSC) luPS Gn

SGSN GGSN Gi
NodeB
Backbone
(BTS)

4G(LTE) Network
SGi

S1 S5
Peakflow SP
SGW PDN GW
eNodeB
Third Party
Application Provider

Customer Services

Peakflow SP TMS rate-limits mobile application recovery storms to remove threat to mobile network.

Conclusion
As mobile network operators race to build DDoS attacks are an example of this type of threat, and trends
indicate they are on the rise. Many mobile operators have already
out higher-capacity mobile networks and experienced attacks targeting their firewalls and subscribers
firsthand, and understand the impact these attacks can have. In
services to meet their customer demands,
the future, this is likely to become a broader and more frequent
they will undoubtedly draw the attention situation. MNOs can rely on the industry expertise and compre-
hensive DDoS protection solutions from Arbor Networks to help
of miscreants. Therefore, it’s imperative stop DDoS attacks that threaten the availability, performance
that MNOs keep a keen eye on threats and security of their mobile networks and services, as well as
the quality of experience of their customers.
that may impact their network availability
and performance. For more information regarding Arbor’s product,
visit our website at www.arbornetworks.com.

8
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 6299 0695

www.arbornetworks.com

©2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

AB/MOBILENETWORK/EN/0413

Inside the Data Center: Top Network
Security Threats and Mitigation Techniques
Highlights from Arbor Networks eighth annual Worldwide Infrastructure Security Report
KEY FINDINGS
45% Of respondents reported
DDoS attacks on their data
centers, up 60%.
94% Of these respondents saw
DDoS attacks regularly.
90% Of these respondents incurred
operational expenses due to
the attacks.
78% Cited end customers as the
number-one target.
95% Use firewalls for DDoS protec-
tion, despite their limitations.
33% Reported that a DDoS attack
compromised their firewalls
or IDS/IPS systems.
75% With Intelligent DDoS Mitigation
Systems (IDMS) solutions offer
customers an IDMS-based
anti-DDoS service.
Arbor Special Report
Arbor Networks® eighth annual Worldwide Infrastructure Security Report
offers a clear view into today’s network security threats and mitigation
techniques. The report is based on survey data from 130 network opera-
tors and service providers around the world. This document summarizes
the survey responses of DNS operators—providing insight into their most
critical security issues.
Data Centers Are Increasingly Victimized
Data centers inherently contain numerous targets for DDoS attacks. Forty-five percent
of respondents experienced DDoS attacks toward their data centers, up 60 percent over
the prior year. Of these, 94 percent saw DDoS attacks regularly and 17 percent reported
that the attack’s volume exceeded the available bandwidth into their data center.
Targets of DDoS Attacks
The most frequent target of DDoS attacks is the end customer, according to 78 percent
of data center respondents. This is of particular concern due to the multi-tenant nature of
most data centers—in fact 63 percent offer such multi-tenant services. Data center infra-
structure services (e.g., DNS, SMTP) are the second most frequent target with just over
50 percent experiencing these attacks, yet only 19 percent have resources responsible
for DNS security. One-third reported attacks on the data center infrastructure itself.
Frequency of DDoS Attacks
For data center operators who reported being the victims of a DDoS attack, the observed
frequency of the attacks increased over last year’s survey. In 2011, 30 percent of
respondents indicated that DDoS attacks were not a monthly occurrence; this has since
declined to just under 6 percent. In fact, 83 percent of respondents who were victims of
attack now experience between one and 50 attacks per month.
Business Impact of DDoS Attacks
Nearly 90 percent of data center operators reported operational expenses due to DDoS
attacks, while one-third experienced customer churn and revenue loss (Figure 1).
ABOUT ARBOR NETWORKS Business Impact of DDoS Attacks
Business Impact of Attacks

90% 88% Operational Expense

Arbor Networks is a leading provider
31% Customer Churn
of network security and management 80%
31% Revenue Loss
solutions for enterprise and service
25% Employee Turnover
provider networks. Our proven solutions 70%
6% Other
help grow and protect our customers’

Survey Respondents
60%
networks, businesses and brands.
50%
Arbor’s unparalleled, privileged relation-
40%
ships with worldwide service and hosting
providers provide unequaled perspective 30%
on Internet security and traffic trends
via ATLAS®, a unique collaborative effort 20%

with 250+ network operators across 10%

the globe sharing 42 Tbps of traffic
information that informs numerous 0%
business decisions.
Source: Arbor Networks, Inc.
Figure 1 Source: Arbor Networks, Inc.
Developed annually, Arbor’s Worldwide
Infrastructure Security Report offers a
rare view into the evolving global threat
landscape based on a series of surveys
Visibility into Data Center Networks
completed by network operators from
around the world. Just over three-quarters of data center respondents have good visibility up to Layer 4,
while one-third have visibility up to Layer 7. This indicates that the majority of operators
To access the complete report, please are likely blind to attacks above Layer 4, making it difficult to defend against them. Layer
visit: www.arbornetworks.com/report
7 DDoS attacks are especially dangerous as they are typically “low and slow,” and are
often undetectable using traditional volumetric detection mechanisms.

Data Center Security

Firewalls are now a standard security practice in data centers, deployed by 95 percent
of respondents compared to only 42 percent last year. The second most common
security technology is IDS/IPS, which is used by half of respondents. The increased
use of firewalls and IDS/IPS devices to deal with DDoS attacks is concerning. Although
these devices can deal with some kinds of DDoS attacks, they are primarily designed to
assure confidentiality and integrity, rather than service availability.

Firewalls or IDS/IPS Compromised by DDoS Attack

Over one-third of respondents reported that their firewalls or IDS/IPS systems were
Corporate Headquarters
compromised by a DDoS attack during the survey period.
76 Blanchard Road
Burlington, MA 01803 USA
DDoS Prevention and Mitigation
Toll Free USA +1 866 212 7267
T +1 781 362 4300 The proportion of data center respondents using today’s various DDoS prevention/
mitigation techniques remained unchanged from last year’s survey. However, there was
Europe a 10 percent increase in the proportion of respondents using Intelligent DDoS Mitigation
T +44 207 127 8147 Systems (IDMS) and an approximate 22 percent decrease in the proportion using D-RTBH.
This may indicate that data center operators are becoming more focused on protecting end
Asia Pacific customer service availability during an attack. Three-quarters of data center operators who
T +65 6299 0695 have IDMS solutions deployed offer their customer base an anti-DDoS service based on
their IDMS equipment, thus monetizing their investment.
www.arbornetworks.com
Summary
© 2013 Arbor Networks, Inc. All rights Data centers are increasingly being targeted by DDoS attacks—with significant downside
reserved. Arbor Networks, the Arbor Networks to their businesses. As more companies move their services to the cloud, they now have
logo, Peakflow, ArbOS, How Networks Grow, to be wary of the shared risks and potential for collateral damage. With e-commerce and
Pravail, Arbor Optima, Cloud Signaling, ATLAS
and Arbor Networks. Smart. Available. Secure. online gaming sites being the most common targets for DDoS attacks, according to
are all trademarks of Arbor Networks, Inc. survey results this year, sharing data centers with these organizations brings some risk.
All other brands may be the trademarks of
their respective owners.
SR/DCWISR/EN/0413

Customer
Managed Security Service
Provider (MSSP)
Industry
DDoS Attack Protection
The Challenge
• Deliver new DDoS attack
protection services.
• Maintain and enhance existing
DDoS attack protection services.
• Train and retain experienced
DDoS attack security personnel.
The Solution
Arbor Cloud—DDoS Protection
Services for:
• Excess mitigation capacity.
• Resell of a turnkey, carrier agnostic
in-cloud and on-premises DDoS
attack protection service.
The Result
Enable new or augment existing
DDoS attack protection services
in less time and with lower costs.
Arbor Solution Brief
Arbor Cloud —DDoS Protection SM
Service for MSSPs
Turnkey, in-cloud and on-premises, DDoS attack protection
solution to enable or augment services
For years, Managed Security Service Providers (MSSPs) have trusted Arbor Networks®
products, industry leading DDoS attack research and expertise to help them design and
operate their DDoS attack protection services. As MSSPs face ever increasing challenges
due to modern day DDoS attacks, they continue to rely upon Arbor Networks to thwart
these targeted attacks. In response, Arbor Networks has moved beyond offering indus-
try leading DDoS mitigation products and research and is now offering a turnkey, carrier
agnostic, in-cloud and on-premises DDoS attack protection service: Arbor Cloud—DDoS
Protection. MSSPs can leverage the Arbor Cloud—DDoS Protection Service to enable
new or augment their existing DDoS services, potentially reduce costs and bring services
to market in less time.
DDoS Attacks Continue to Raise the Bar for MSSPs
There’s little doubt that DDoS attacks continue to rise in size, frequency and complexity.
This trend is putting tremendous pressure on Managed Security Service Providers who
are challenged with:
• Risk of not having enough capacity to manage very large attacks.
• Staying abreast of latest DDoS attack trends, attack vectors, attackers, attack
tools and targets.
• The constant requirement of training network security personnel and operations staff.
• Retaining experienced, coveted staff that is constantly lured by stiff competition.
• Maintaining and enhancing their DDoS attack protection infrastructure such as
circuits, data centers, customer portals and attack mitigation products.
The Need for a Layered DDoS Attack Protection Solution
For over a decade Arbor Networks has been researching and delivering products
designed to stop DDoS attacks. To stop modern day DDoS attacks that are commonly
a combination of large, volumetric attacks and stealthy, application-layer attacks, Arbor
has recommended and is delivering a layered DDoS protection solution:
• In-Cloud: Arbor’s Peakflow® SP and Peakflow® Threat Management System
products offer in-cloud protection for volumetric attacks.
• On-Premises: Arbor’s Pravail® Availability Protection System (APS) is designed
to stop application-layer attacks on the customer premises or datacenter.
• Intelligent Communication: Arbor’s Cloud Signaling™ technology provides an
integrated means of communicating between in-cloud and on-premise solutions
to streamline operational transition between the two.
The powerful combination of Arbor’s Peakflow, Pravail and Cloud Signaling—all backed by the
industry leading expertise of Arbor’s Security Engineering and Response Team (ASERT)—is
arguably is the most comprehensive DDoS attack protection solution in the industry today.
“Verizon has utilized Arbor A Turnkey DDoS Attack Protection Service for MSSPs
Networks hardware for For years, MSSPs have relied on Arbor Networks to help stop DDoS attacks for their
a number of years in the customers. But even the best MSSP is challenged to stay abreast of modern day DDoS
provision of Verizon’s DOS attacks and maintain sufficient capacity to deal with the growth of their services or
Defense service, protecting growing attack sizes. In response, Arbor Networks has moved beyond offering industry
Verizon IP customers leading DDoS attack products and research and is now offering a turnkey, carrier
globally. Arbor Networks’ agnostic, in-cloud and on-premises DDoS attack protection service: Arbor Cloud—
expansion with Arbor Cloud DDoS Protection Service. The Arbor Cloud—DDoS Protection Service is based
DDoS Protection Service 100% upon Arbor’s industry leading products and security experts.
will permit customers to
retain their best-practice Arbor offers two different Arbor Cloud—DDoS Protection services for MSSPs.
dual-carrier environments
while leveraging tried and Excess Capacity for
Resell of Arbor Cloud
Existing Services
tested technology for both
Arbor Cloud
Verizon and their alternate Local ISP Arbor Cloud DDoS Protection
MSSP
carrier Internet circuits.” DDoS Protection
Local ISP
MSSP Local ISP
Bart Vansevenant, Executive Director,
Security Solutions with Verizon
Enterprise Solutions

Enterprise Network Enterprise Network

Excess Capacity Service Resale of Arbor Cloud—DDoS Protection Service

1. Excess Capacity Service: Mitigation capacity is not infinite. This service is for existing
DDoS Protection MSSPs who may need additional mitigation capacity. This service may
be MSSP branded (white labeled), custom designed and has pricing based upon the
amount of total mitigation capacity required, attack mitigations and other BGP options.

2. Resale of Arbor Cloud—DDoS Protection Service: Bringing new DDoS attack

protection services to market or enhancing existing services is difficult. ISPs, Cloud
Providers, Hosting companies or MSSPs who do not have DDoS protection services
can quickly bring a new service to market by reselling the Arbor Cloud—DDoS
Protection Service. ISPs/MSSPs who have existing DDoS protection services can
Corporate Headquarters easily augment their services for scenarios such as:
76 Blanchard Road
Burlington, MA 01803 USA • Multi-homed customers looking for a single MSSP to offer all their DDoS
Toll Free USA +1 866 212 7267 attack protection services.
T +1 781 362 4300 • International customers where the MSSP may not have a geographic
presence for DDoS attack protection.
Europe
T +44 207 127 8147 This service is Arbor branded and has pricing based upon the amount of clean customer
traffic, attack mitigations and other BGP or DNS options.
Asia Pacific
T +65 68096226
Bottom Line
www.arbornetworks.com MSSPs can leverage The Arbor Cloud—DDoS Protection Service to enable new services
or augment existing services in potentially less time and with lower costs.
© 2013 Arbor Networks, Inc. All rights
reserved. Arbor Networks, the Arbor Networks
logo, Peakflow, ArbOS, Pravail, Arbor Optima,
Cloud Signaling, Arbor Cloud, ATLAS, and
Arbor Networks. Smart. Available. Secure.
are all trademarks of Arbor Networks, Inc.
All other brands may be the trademarks
of their respective owners.
SB/ACMSSP/EN/1113-LETTER
 Arbor Solution Brief

Arbor Cloud for EnterprisesSM

Integrated DDoS Protection from the Enterprise to the Cloud

Solution Brief: Arbor CloudSM for Enterprises

About Arbor Networks

Arbor Networks, Inc. helps secure the world’s largest
enterprise and service provider networks from DDoS attacks
and advanced threats. Arbor is the world’s leading provider
of DDoS protection in the enterprise, carrier and mobile
market segments, according to Infonetics Research. Arbor’s
advanced threat solutions deliver complete network visibility
through a combination of packet capture and NetFlow
technology, enabling the rapid detection and mitigation of
malware and malicious insiders. Arbor also delivers market
leading analytics for dynamic incident response, historical
analysis, visualization and forensics. Arbor strives to be a
“force multiplier”, making network and security teams the
experts. Our goal is to provide a richer picture into networks
and more security context—so customers can solve problems
faster and reduce the risk to their business. To learn more
about Arbor products and services, please visit our website
at arbornetworks.com. Arbor’s research, analysis and insight,
together with data from the ATLAS global threat intelligence
system, can be found at the ATLAS Threat Portal.

1
 Solution Brief: Arbor CloudSM for Enterprises

Table of Contents
The New Breed of Attack: Multi-Layered DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Distributed DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Volumetric DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
State Exhausting DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Application-Layer DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Traditional Perimeter Security Solutions Are Not Designed to Defend Against DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Arbor Cloud: On-Premise + In-Cloud DDoS Protection for Global Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

In-Cloud Protection: Powerful, Proactive, On-Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Powered by the Arbor Security Engineering & Response Team (ASERT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Cloud Signaling: Full Integration from the Data Center to the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1
Solution Brief: Arbor CloudSM for Enterprises

The New Breed of Attack: Multi-Layered DDoS

Today’s DDoS threats have evolved in both complexity and sophistication. They target
the availability of networks, services and applications—often at the same time—through a
multi-layered attack strategy. This strategy combines high-bandwidth assaults that overwhelm
the capacity of enterprise data centers with low-bandwidth, hard-to-detect attacks aimed at
bringing down critical applications.

These new multi-layer attacks can negate the effectiveness
of traditional perimeter security devices, such as firewalls
and Intrusion Prevention Systems (IPS). High-volume flood
attacks overpower the bandwidth limitations of these devices.
Meanwhile, “low and slow” application-layer attacks fly under
their radar—escaping detection until critical services are down
or badly degraded.
Unfortunately, most organizations are unprepared for this new
breed of attack—and are blindsided when their traditional security
devices fail to protect their networks and core business systems.
To better ensure business availability, today’s enterprise should
have multi-layered DDoS protection from the edge of its network
to the cloud.
Protection against the new breed of DDoS attacks requires an
understanding of the methodologies and tools used by attackers.
Today’s multi-layer DDoS assaults can combine any or all of
the following approaches into a single, coordinated attack.
The results can be catastrophic—including upstream saturation,
state exhaustion and service outage.
Distributed DDoS Attacks
Taking advantage of the proliferation of compromised comput-
ers, attackers utilize a command-and-control network to create a
botnet. They use these botnets to launch targeted DDoS attacks
originating from the vast number of infected hosts.
Volumetric DDoS Attacks
These devastating attacks typically target network infrastructure
components such as switches, routers or servers. By flooding
bandwidth with connection requests, they cripple legitimate
traffic and availability to critical resources. A myriad of volumetric
attack tools are available that utilize common protocols. Some
of the more widespread types include:
• UDP flood attacks that take advantage of the connectionless
nature of the UDP protocol.
• Reflection flood attacks that utilize a legitimate resource such
as DNS to amplify an attack. The DNS response is multiplied
many times and sent to the victim’s spoofed IP address, thereby
exhausting resources.

Internal Apps

ISP Remote Offices

ISP

Mobile WiFi Corporate Servers

Figure 1 Multi-layered DDoS attacks Employees

2

State Exhausting DDoS Attacks
These attacks target security infrastructure devices such
as firewalls, IPS and load balancers. They take advantage
of connection-state tables by flooding them with half-open
connections and other TCP connection attacks.
Traditional Perimeter Security Solutions Are Not Designed
to Defend Against DDoS
Traditional perimeter security devices such as firewalls and IPS are essential elements
of a layered-defense strategy. However, they are not designed to protect against the
multi-layered nature of today’s complex DDoS attacks.
DDoS attacks typically utilize legitimate traffic payload distributed
from large networks of hosts, and exhaust capacity in critical
assets and systems. Examples include link capacity, session
capacity, application service capacity (e.g., HTTP/S, DNS) and
back-end databases.
Why Firewall and IPS Devices Do Not Solve the DDoS Problem
Vulnerable to DDoS Attacks
• Because these devices are inline, stateful devices, they
are vulnerable and targets of DDoS attacks.
• Firewalls and IPS are the first to be affected by large
flood or connection attacks.
Failure to Ensure Availability
• Built to protect against known (vs. emerging) threats.
• Designed to look for threats within single sessions, not
across sessions.
Deployed in Wrong Location for DDoS Protection
• Very close to servers.
• Too close to upstream router.
Solution Brief: Arbor CloudSM for Enterprises
Application-Layer DDoS Attacks
These attacks represent the most popular attack vector as their
stealthy nature makes them harder to detect. They target systems
on the application layer—from Web services to custom applications.
By making critical applications inaccessible to those who rely on
them, these attacks deliver a significant blow to business availability.
Traditional security devices fail to protect from DDoS attacks
because the traffic appears to be legitimate and is allowed to
pass by these systems. Additionally, firewalls and IPS are stateful
inspection devices, which means they are vulnerable to today’s
multi-layer attacks and often become the targets themselves.
Protection Limited to Certain Attacks
• Address only specific application threats.
• By default, they must allow common attack traffic such as TCP
port 80 (HTTP) or UDP port 53 (DNS). They do not handle
attacks containing valid requests.
Incompatible with Cloud-Based DDoS Protection
Systems
• Fail to interoperate with cloud-based DDoS prevention
solutions.
• Increase response time to DDoS attacks.
Lack of DDoS Expertise
• DDoS protection requires prior knowledge of attack types.
3
Solution Brief: Arbor CloudSM for Enterprises

Arbor Cloud: On-Premise + In-Cloud DDoS Protection

for Global Networks

Arbor Cloud is an integrated, multi-layer solution for protecting against today’s complex
DDoS attacks. This comprehensive protection is achieved by augmenting Arbor’s on-premise,
always-on DDoS defense product with its cloud-based, on-demand traffic scrubbing service.
Using Cloud Signaling™ technology, Arbor Cloud integrates on-premise and cloud-based
protection, accelerating attack identification and mitigation. This service is backed by a
24X7 Security Operations Center staffed by Arbor’s DDoS and security experts.

Arbor Cloud provides on-premise protection that helps prevent

stealthy, low-and-slow attacks that bypass firewalls and IPS and
Arbor Multi-Layer Cloud Protection
target critical business applications. This on-premise protection
also guards against state-exhausting DDoS attacks that overwhelm
On-Premise Protection
existing security devices. Augmenting the on-site protection is the
on-demand traffic scrubbing service staffed by Arbor’s DDoS secu- Provide a first line of defense against high-volume attacks;
defend against “low-and-slow” attacks that fly under the ra-
rity experts. This cloud-based service defends against volumetric
dar of traditional perimeter defenses and bring down critical
DDoS attacks that are too large to be mitigated on-premise.
business applications; and guard against state-exhausting
With each layer of protection, Arbor delivers its industry-leading attacks that overwhelm firewalls and IPS devices.
expertise and technology—whether through its on-premise detec-
In-Cloud Protection
tion and mitigation product or its globally deployed architecture
for DDoS traffic scrubbing in the cloud. As a result, Arbor Cloud Block high-bandwidth DDoS attacks that overpower the
mitigation capacity of enterprise data centers, and provide
provides a single, carrier-agnostic security solution that helps
cloud-based traffic scrubbing for stealthy, high-volume
protect globally distributed networks from multi-layer attacks
attacks that evade traditional security checkpoints.
that evade evade traditional perimeter defenses.

Arbor Cloud delivers a powerful first line of defense through Coordinated Protection
Arbor’s industry-leading on-premise DDoS attack detection and Accelerate detection and mitigation by seamlessly
mitigation product. This easy-to-deploy and manage appliance is integrating on-premise via Pravail and in-cloud protection
designed to automatically neutralize attacks before they impact through Cloud Signaling.
critical servers or systems. It helps deliver protection from:
A Global Protection Layer from a Single Vendor
• Application-layer attacks Rely on comprehensive, carrier-agnostic protection for
• State exhausting attacks your global enterprise network backed by world-leading
security and network research and intelligence from
• Volumetric attacks (up to the limitation of the device)
ATLAS/ASERT and 24x 7 service and support by
Because the cost of downtime is extremely high for most global our experts.
organizations, Arbor’s on-premise solution is designed to auto-
matically detect and mitigate DDoS attacks with little or no user
interaction—before services are degraded. It also offers simple
fallback plans and resolution techniques when attacks cannot be
readily identified. Moreover, the on-premise solution can recognize
legitimate CDN traffic and will not accidentally block it. With Arbor
Cloud DDoS Protection Service, the enterprise manages the on-
premise device, maintaining control over their first line of defense.

4
 Solution Brief: Arbor CloudSM for Enterprises

Additional benefits of Arbor’s on-premise solution include:

Automatic Threat Updates Manual or Automatic Mitigation Alerts

Arbor enjoys a close and privileged relationship with leading ISPs
around the world. Through its extensive network of sensors and
data feeds, Arbor has real-time visibility into 70Tb/sec of global
Internet traffic. This gives Arbor unmatched insight into emerging
threats—information used by the Arbor Security Engineering
& Response Team (ASERT) to develop defenses against new
and emerging threats. The ATLAS® Intelligence Feed (AIF)
delivers threat updates directly to the on-premise solution in
real-time, requiring no action on the part of enterprise security
and IT teams.
When the on-premise solution detects an attack, you can manu-
ally alert the cloud deployment about the attack. Alternatively,
you can preset the on-premise solution to automatically send
an alert to the cloud upstream when a threshold is reached.
Advanced Web Crawler Service
Arbor has even taken into consideration a Web site’s page
ranking and search engine results. ASERT maintains policies in
AIF designed to allow specific Web crawlers to access your site,
while blocking those that are identified as malicious or irrelevant.

Visibility, Control and Alerting

Arbor Cloud Stops
On-premise protection delivers real-time visibility into attacks, High-Volume Attacks
blocked hosts and even packets. It offers the flexibility operators
need to alter attack countermeasures and thresholds, if required.
It also includes active alerting that notifies security engineers
of ongoing attacks that are blocked, as well as other network
events that may require attention.

Real-Time and Historical Attack Forensics and Reporting

Enterprises can visually understand the actions taken by the
on-premise solution through detailed, real-time attack reports.
Besides documenting these actions in audit logs, the solution
Cloud
provides forensic reports detailing blocked hosts, origin coun- Signaling
tries of attacks and historical trends. These easy-to-understand On-Premise
Stops Stealthy Attacks
reports can also be given to peers or management to educate
them on the threats to service availability and the steps taken
to address the attacks.

Full Control of Mitigation

Unlike other managed DDoS solutions, Arbor Cloud enables
enterprises to maintain control over DDoS mitigation via the
on-premise solution. The Arbor Cloud Portal provides information Enterprise Network
regarding the attack and mitigation, a timer for measuring attack
duration, granular reporting on attack traffic and account
management tools. Figure 2 On-premise + Cloud protection

5
Solution Brief: Arbor CloudSM for Enterprises

In-Cloud Protection: Powerful, Proactive, On-Demand
When an attack occurs, speed and agility are critical to business
continuity. In the event of a volumetric attack, Arbor’s on-premise
solution serves as a first line of defense—rerouting inbound traffic to
one of Arbor Cloud’s four global scrubbing centers for cloud-based
mitigation. These four scrubbing centers are located in: Ashburn, VA,
San Jose, CA, Amsterdam and Singapore. The SOC is located in
Sterling, VA. When this occurs, Arbor’s experienced security experts
and engineers work hand-in-hand with the enterprise IT team to
quickly redirect malicious DDoS traffic away from the affected
infrastructure based on predetermined methods.
Cloud Signaling™ Technology: Integration from the
Data Center to the Cloud with Pravail
Arbor Cloud integrates on-premise and cloud-based protection
using Arbor’s unique Cloud Signaling technology. By enabling
communication between the on-site and in-cloud environments,
Cloud Signaling technology facilitates rapid DDoS attack detec-
tion and mitigation. When an attack begins to saturate connection
bandwidth, for example, the on-premise device can trigger an
alert to the Arbor Cloud scrubbing center—augmenting on-premise
protection with cloud-based mitigation.

Through four global scrubbing centers, Arbor Cloud can help defuse
the large, complex high bandwidth attacks that make headlines daily Rely on Arbor Cloud
and threaten the availability of critical resources and assets.

After an attack occurs, Arbor Cloud delivers a comprehensive Advanced protection against:*
and granular report detailing the attack in its entirety. To ensure • Spoofed/Non-spoofed DoS Attacks
understanding and transparency in service delivery, this report • TCP (SYN, etc.), ICMP, UDP Floods
is delivered during a one-on-one meeting with Arbor’s Security
• Botnets

Operations Center engineers and the enterprise organization.
• Blackenergy, Darkness, YoYoDDoS, etc.
Powered by the Arbor Security Engineering • Common DoS/DDoS Tools
& Response Team (ASERT) • Slowloris/Pyloris, Pucodex, Sockstress, ApacheKiller
Arbor security researchers have a real-time view of over 70% • Voluntary Botnets (Anonymous, etc.)
of global internet traffic. This unmatched access to emerging
• HOIC, LOIC, etc.

threats enables the Arbor Security Engineering & Response
Team (ASERT) to develop timely, automatic updates to • Application Attacks

on-premise solutions and the Arbor Cloud SOC. • HTTP URL GET/POST Floods

As a part of the Arbor Cloud service, ASERT will provide custom- • Malformed HTTP Header Attacks
ers with the same global intelligence and insight that it delivers to • Slow-HTTP Request Attacks
the Arbor SOC through weekly Threat Briefs that will be available • SYN Floods Against SSL Protocols
on the ATLAS portal. Additionally, In the event of late breaking
attacks or urgent threats, a Threat Brief will be released that • Malformed SSL Attacks
informs customers of these threats. From the portal, customers • SSL Renegotiation Attacks
will be able to see the following (which includes the threat briefs): • SSL Exhaustion (Single Source/ Distributed Source)
• Global Threat Map: Real-time visibility into globally • DNS Cache Poisoning Attacks
propagating threats • DNS Request Floods
• Threat Briefs: Summarizing the most significant security • SIP Request Floods
events that have taken place over the past 24 hours
• Custom Attacks—Unique to Your Service
• Top Threat Sources: Multi-dimensional visualization of
originating attack activity • Location-Based IP Addresses

• Threat Index: Summarizing Internet malicious activity by * The Pravail® Availability Protection System (“Pravail APS”)
offering detailed threat ratings also allows user-configured custom protection.

• Top Internet Attacks: 24-hour snapshot of the most

prevalent exploits being used to launch attacks globally

6

Conclusion
Organizations today are often ill-prepared
to protect their globally dispersed networks
against highly targeted, complex and
multi-layered DDoS attacks. The new
attack reality calls for an integrated
multi-layer solution designed to fend off
assaults by employing the most effective
detection technique at the most efficient
location, whether that means on-premise
or in the cloud.
Solution Brief: Arbor CloudSM for Enterprises
Arbor Cloud offers 24x7 DDoS protection from the premises to
the cloud using Arbor’s proven DDoS detection and mitigation
solutions at both ends. In-cloud protection is designed to block
high-bandwidth DDoS attacks that flood your network with traffic.
Meanwhile, on-premise protection helps prevent low-bandwidth,
hard-to-detect attacks that bypass existing security devices like
firewalls and IPS devices, and target the applications that keep
your business running. It’s all supported by Arbor’s 24x7 Security
Operations Center staffed by our DDoS and security experts.
For more information about how Arbor Cloud
can help protect your enterprise against
today’s multi-layer DDoS attacks, please
contact your Arbor representative or log on to
www.arbornetworks.com/products/arbor-cloud.
7
Solution Brief: Arbor CloudSM for Enterprises

8
Solution Brief: Arbor CloudSM for Enterprises

9
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300

Europe
T +44 207 127 8147

Asia Pacific
T +65 68096226

www.arbornetworks.com

© 2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, Pravail, Arbor Optima, Cloud Signaling,
Arbor Cloud, ATLAS, and Arbor Networks. Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks
of their respective owners.
SB/ACE/EN/1113-LETTER