Want to prevent traffic floods? Flood some cash to Arbor!
July 01, 2019
Want to prevent traffic floods? Flood some cash to Arbor!
Score 6 out of 10
Vetted Review
Verified User
Overall Satisfaction with Arbor SP
We use Arbor Peakflow SP (which is being/has been rebranded to Netscout Sightline) in conjunction with Arbor TMS to provide out-of-band DDoS mitigation and traffic analytics. It is primarily used by our NOC/SOC. The SP peers with our edge routers via BGP and collects netflow and SNMP data to determine malicious attack patters and trigger alerts to let us know ASAP when we or a customer are under attack. The SP controls the TMS appliances to make BGP flowspec announcements to the edge routers (the TMS also peers with the edge routers via BGP) and offramp traffic to specific destination IP addresses on specific ports based on attack signatures and mitigation methods enabled.
- Arbor's layer 7 countermeasures are very good out of the box, but it is very easy to reconfigure values and see the impact in real-time.
- Peakflow SP provides fairly detailed traffic analysis and breakdown for top-N data such as top talkers, top ASNs, top ports and so on. They offer "SP Insight" as a product to build in more powerful reporting on the already-collected metrics with an interface very similar to Kibana or one of its many forks. We are not licensed for that so I can't speak to its capabilities.
- Arbor allows for a good amount of automation. Fast flood detection ensures that if pre-determined thresholds are quickly exceeded, preconfigured mitigations can be started or in the event of an extremely large volumetric attack you can trigger an Arbor Cloud (sold separately) mitigation or a remotely-triggered blackhole announcement to drop traffic to the attacked destination IP address(es) upstream.
- ATAC (Arbor support) is very helpful. The level of support our organization maintains covers ATAC performing all update functions to all Arbor appliances - SP and TMS.
- All Arbor products are extremely expensive. "If-you-have-to-ask-you-probably-can't-afford-it" expensive. That being said, if you play your cards right and negotiate you can get the price down a better price.
- The recently updated their API from SOAP to REST. This is a good thing. They version their API as they add and remove methods. This is also a good thing. Every time they add a new version, they immediately sunset the previous version. This is not a good thing as it requires a lot of updates to code if you were previously using a method that has been modified/deleted/renamed.
- SP with TMS relies heavily on SNMP, netflow, and BGP information. If any one of those components fails for any given router, the Peakflow system's usefulness becomes extremely limited.
- Be prepared to answer questions when you eventually receive an attack that cannot be mitigated by the Peakflow system. Eventually you will get a large volume attack that will fill your pipes before the traffic can be offramped. This isn't a criticism of Arbor specifically; there's nothing you can do about that on-premesis with an on-premesis solution. Just make sure you level-set before making a large purchase like this to avoid difficult "explain why we purchased DDoS mitigation if it can't mitigate a DDoS" meetings.
- We have been able to keep our highest-priority customers up and running during long-running attacks, preventing paying out SLA credits.
- Our website and shopping carts have been victims of attacks we have been able to mitigate and avoid damage to our brand/company image.
- We have run into some appliances that have been made end of life with little notice - as little as one month. It is difficult to get a return on your investment when your intended hardware lifecycle is thrown out the window.
We evaluated Corero and a number of external scrubbing services.
In the POC, we found Corero's mitigation capabilities to extremely limited beyond blocking common traffic types at preconfigured rates. It's not impossible to configure custom mitigation methods and countermeasures, but it requires a deep understanding of BPF and bytecode, where Arbor is checkboxes, radio buttons, and dialog buttons that all sit next to a graph showing traffic dropped and permitted by the current settings.
I'm not going to enumerate each of the cloud services evaluated because the decision came down to the same reasoning. The amount of traffic we receive is enough that it would be prohibitively expensive for our use case.
In the POC, we found Corero's mitigation capabilities to extremely limited beyond blocking common traffic types at preconfigured rates. It's not impossible to configure custom mitigation methods and countermeasures, but it requires a deep understanding of BPF and bytecode, where Arbor is checkboxes, radio buttons, and dialog buttons that all sit next to a graph showing traffic dropped and permitted by the current settings.
I'm not going to enumerate each of the cloud services evaluated because the decision came down to the same reasoning. The amount of traffic we receive is enough that it would be prohibitively expensive for our use case.