Want to prevent traffic floods? Flood some cash to Arbor!
July 01, 2019

Want to prevent traffic floods? Flood some cash to Arbor!

Anonymous | TrustRadius Reviewer
Score 6 out of 10
Vetted Review
Verified User

Overall Satisfaction with Arbor SP

We use Arbor Peakflow SP (which is being/has been rebranded to Netscout Sightline) in conjunction with Arbor TMS to provide out-of-band DDoS mitigation and traffic analytics. It is primarily used by our NOC/SOC. The SP peers with our edge routers via BGP and collects netflow and SNMP data to determine malicious attack patters and trigger alerts to let us know ASAP when we or a customer are under attack. The SP controls the TMS appliances to make BGP flowspec announcements to the edge routers (the TMS also peers with the edge routers via BGP) and offramp traffic to specific destination IP addresses on specific ports based on attack signatures and mitigation methods enabled.
  • Arbor's layer 7 countermeasures are very good out of the box, but it is very easy to reconfigure values and see the impact in real-time.
  • Peakflow SP provides fairly detailed traffic analysis and breakdown for top-N data such as top talkers, top ASNs, top ports and so on. They offer "SP Insight" as a product to build in more powerful reporting on the already-collected metrics with an interface very similar to Kibana or one of its many forks. We are not licensed for that so I can't speak to its capabilities.
  • Arbor allows for a good amount of automation. Fast flood detection ensures that if pre-determined thresholds are quickly exceeded, preconfigured mitigations can be started or in the event of an extremely large volumetric attack you can trigger an Arbor Cloud (sold separately) mitigation or a remotely-triggered blackhole announcement to drop traffic to the attacked destination IP address(es) upstream.
  • ATAC (Arbor support) is very helpful. The level of support our organization maintains covers ATAC performing all update functions to all Arbor appliances - SP and TMS.
  • All Arbor products are extremely expensive. "If-you-have-to-ask-you-probably-can't-afford-it" expensive. That being said, if you play your cards right and negotiate you can get the price down a better price.
  • The recently updated their API from SOAP to REST. This is a good thing. They version their API as they add and remove methods. This is also a good thing. Every time they add a new version, they immediately sunset the previous version. This is not a good thing as it requires a lot of updates to code if you were previously using a method that has been modified/deleted/renamed.
  • SP with TMS relies heavily on SNMP, netflow, and BGP information. If any one of those components fails for any given router, the Peakflow system's usefulness becomes extremely limited.
  • Be prepared to answer questions when you eventually receive an attack that cannot be mitigated by the Peakflow system. Eventually you will get a large volume attack that will fill your pipes before the traffic can be offramped. This isn't a criticism of Arbor specifically; there's nothing you can do about that on-premesis with an on-premesis solution. Just make sure you level-set before making a large purchase like this to avoid difficult "explain why we purchased DDoS mitigation if it can't mitigate a DDoS" meetings.
  • We have been able to keep our highest-priority customers up and running during long-running attacks, preventing paying out SLA credits.
  • Our website and shopping carts have been victims of attacks we have been able to mitigate and avoid damage to our brand/company image.
  • We have run into some appliances that have been made end of life with little notice - as little as one month. It is difficult to get a return on your investment when your intended hardware lifecycle is thrown out the window.
We evaluated Corero and a number of external scrubbing services.

In the POC, we found Corero's mitigation capabilities to extremely limited beyond blocking common traffic types at preconfigured rates. It's not impossible to configure custom mitigation methods and countermeasures, but it requires a deep understanding of BPF and bytecode, where Arbor is checkboxes, radio buttons, and dialog buttons that all sit next to a graph showing traffic dropped and permitted by the current settings.

I'm not going to enumerate each of the cloud services evaluated because the decision came down to the same reasoning. The amount of traffic we receive is enough that it would be prohibitively expensive for our use case.
Good fit
  • If you receive layer 7 attacks on a regular basis targeting critical infrastructure that needs to stay up, this is a good fit in conjuction with out-of-band TMS or in-band APS. This is obviously going to be contingent on your budget.
Not a good fit
  • If you are looking to mitigate large volume attacks that are saturating your uplinks to the Internet and taking your entire network down, this (or any on-premesis solution, for that matter) is not the solution for you. Look into any external DDoS scrubbing service to let them take the blow and return only the clean traffic to you.
  • The Peakflow system has many features similar to an IPS with the ability to block traffic based on layer 7 signatures, but country code, etc and may be tempting to use this as an IDS/IPS solution. This will cause issues for a few reasons, cheif among them is that the system is not intended for permananent or indefinite mitigations. Additionally, signitures are only updated on software version upgrades.