May 10, 2011, 6:42 AM — Arbor Networks today announced security gear designed to work in the enterprise data center to detect and mitigate distributed denial-of-service (DDoS) attacks that crush network availability or tie up servers.
Until now, Arbor's anti-DDoS equipment, called Peakflow, has been aimed at Internet service providers, carriers and managed security providers so they can detect malicious traffic flows and filter them out upstream from the customer. In contrast, the Arbor Pravail Availability Protection System (APS) appliances unveiled today are intended for use in the customer data center in order to immediately stop at least some level of an incoming DDoS attack if not all of it. Arbor is also proposing a way that the new equipment will be able to communicate and work with the provider-operated Peakflow gear, if need be, to automate an anti-DDoS response.
MORE ON SECURITY PROBLEMS: The DDoS Hall of Shame
Arbor's idea about having the Pravail equipment share information with provider-operated Peakflow gear is groundbreaking. "This could create a hybrid type of solution," says Michael Suby, vice president of research in Frost & Sullivan's Stratecast division, adding there's a lot of discussion going on in the industry, including with some of Arbor's competitors, on how to move in this direction.
Arbor executives say that with Pravail, the goal is to avoid the immediate crushing loss of bandwidth and server availability that comes with a DDoS attack.
Arbor say that since 2009 there has been a sharp increase in application-layer DoS attacks aimed at tying up Web, DNS and SMTP servers.
The Pravail APS line of appliances is designed to detect both large volumetric attacks and more subtle application layer denial-of-service attacks. The enterprise-focused anti-DDoS equipment, which Arbor says would typically be installed in front of the Internet firewall and near routers with upstream connections to providers, is expected to ship in the third quarter as a line of four anti-DDoS appliances supporting speeds from 2Gbps to 10Gbps.
The Pravail APS gear, going into beta this month, might not be able to stop all attacks that exceed bandwidth capability of the device, and there could still be a need to ask for assistance from a service provider capable of filtering out DDoS streams. Upstream filtering of DDoS attacks is something often provided today as a service by carriers such as AT&T and Verizon.