A new way to prevent Botnet Attack

Arbor White Paper
Protecting IP Services
from the Latest
Trends in Botnet
and DDoS Attacks
Global Insights, Detection Strategies
and Mitigation Methods

Arbor Networks, Inc. is a leading provider of network
security and management solutions for enterprise and
service provider networks, including the vast majority
of the world’s Internet service providers and many of the
largest enterprise networks in use today. Arbor’s proven
network security and management solutions help grow
and protect customer networks, businesses and brands.
Through its unparalleled, privileged relationships with
worldwide service providers and global network operators,
Arbor provides unequalled insight into and perspective on
Internet security and traffic trends via the ATLAS® Active
Threat Level Analysis System. Representing a unique
collaborative effort with 230+ network operators across
the globe, ATLAS enables the sharing of real-time security,
traffic and routing information that informs numerous
business decisions.
About Arbor Networks

1
Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks
Victims of these crippling and widespread Internet-based
attacks include Internet service providers (ISPs), enterprises
and broadband subscribers alike. To make matters worse,
Internet service subscribers are often unknowing participants
in the proliferation and execution of many such attacks. This
occurs when hackers covertly pirate subscribers’ high-speed
connections and compromise their PCs—turning them into
zombies that form a huge army of malicious botnets. Remotely
controlled by hackers, these botnets wreak havoc throughout
the Internet by executing all kinds of malware and DDoS
attacks. According to a recent study from Arbor Networks
entitled “Worldwide Infrastructure Security Report, Volume III”
(www.arbornetworks.com/report), botnets and DDoS attacks
are the top concerns of today’s Internet services providers.
Together with large-scale malware, these threats can
severely compromise an ISP’s core equipment, resources
and business-critical IP services.
Emerging technologies introduce additional vulnerabilities
that put today’s networks at even greater risk of security
threats. Service providers around the world, eager to obtain
the operational and competitive advantages of new technical
innovations, are accelerating their deployment of networks
built on high-speed fiber optics and IP-based services, such
as MPLS, IPTV, VoIP and VPN.
Although there clearly is a broad range of benefits available
from these new networks and services, there is an equally
broad range of security threats that can seriously curtail or
even wipe out those benefits. Service providers recognize that
if they are to realize the promise of next-generation IP-based
services, they must understand the nature and power of their
cyber-enemies. Armed with this knowledge, providers can deploy
the necessary solutions designed to defend their networks and
services from the threats that are out there today—and the
ones that surely will emerge in the future.
Deliberate attacks on service provider networks are, and will
continue to be, a major headache for ISPs and their customers.
The U.S. Federal Bureau of Investigation (FBI) estimates that
computer crime costs American companies alone a staggering
$62 billion a year.
For each of the last three years, Arbor Networks has
conducted a survey of service providers in North America,
Europe and Asia to determine their experiences with security
threats. This section provides subjective data from this survey
(Worldwide Infrastructure Security Report, Volume III) in
conjunction with objective findings from the Arbor Security
Engineering and Response Team (ASERT), a world-renowned
group of security engineers and researchers dedicated to
monitoring Internet threats on a 24/7 basis. ASERT mines
and correlates up-to-the-minute global security data, continually
analyzing it to detect and qualify developing Internet threats.
DDoS Attack and Botnet Trends
Distributed denial of service (DDoS) attacks first made the news in February 2000
and have maintained a high media profile ever since—a fact made evident by the
following headlines:
“Amazon.com, eBay, Yahoo Crippled by DoS Attacks” — February 2000
“Massive DDoS Attack Hits Internet DNS Root Servers” — October 2002
“MyDoom Becomes the Internet’s Fastest Spreading Worm Ever” — January 2004
“Top Threats in 2006: SQL Slammer & Blaster Worm” — October 2006
“Storm Worm Rages Through Internet Over the Weekend” — January 2007
“Cyber Attacks on Estonia” — May 2007

2
DDoS Attacks Continue to Grow in Size
and Frequency
According to data received from the survey, there has been a
140 percent increase in the size of the largest detected DDoS
attack over the last three years. In 2007, the largest observed
sustained attack was 24 Gbps, compared to 17 Gbps in 2006.
Thirty-six percent of the surveyed ISPs reported that they had
observed attacks of over 1 Gbps in 2007. This is significant
because most Internet backbone links are 10 GB and enterprise
circuits are multi-gigabit in size.
Additionally, Arbor research conducted from September 2006
through August 2007, a period of 321 days, revealed that
there were 362,394 DDoS attacks—an average of 1,128
attacks per day.
DDoS Attack Protocols
When asked in the survey “Which protocols were being used
for the largest attacks, considering both packets-per-second
(pps) and bits-per-second (bps)?” the responses were:
Largest Attacks (bps): Forty-three percent of the attacks
were UDP floods (e.g., Smurf attacks or ICMP floods),
19 percent were application attacks (e.g., sending malformed
DNS packets or opening excessive HTTP connections) and
18 percent were TCP SYN attacks.
Largest Attacks (pps): Forty-one percent of the attacks
were UDP floods, 26 percent were TCP SYN attacks and
17 percent were application attacks.
Statistical data recently released by ASERT matches some
of the survey responses:
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
Gbps
100
90
80
70
60
50
40
30
20
10
0
Figure 1: Largest Bandwitch Attacks Reported
Source: Arbor Networks, Inc.
Largest Bandwidth Attacks Reported
TCP SYN 15.53
IP Fragment 14.41
TCP Reset 6.45
Private IP Space 1.22
IPNULL Protocol .78
TCPNULL Flag .57
DNS .23
Attack Subtype Percent of Total Attacks

3
ASERT continues to see dramatic activity in this realm, with
thousands of attacks occurring daily. Below is an excerpt of
ASERT’s analysis of the above statistics.
• Transmission Control Protocol (TCP) attacks continue to
dominate the DDoS landscape, being both powerful and easy
to launch. Attackers continue to favor this attack for its efficacy
against a wide variety of services and hosts, providing both a
bandwidth-exhaustion attack as well as a system attack on
the host OS and application.
• Although the number of DNS-based attacks (including DNS
reflective amplification attacks) has increased, these attacks
still have not grown to the level of popularity of common
vectors, such as IP NULL protocol attacks.
• Despite the relatively low prevalence of DNS-based attacks,
there was much concern in the past year about DNS
amplification attacks. But aside from a spike in March 2007
when their prevalence matched that of ICMP attacks, DNS
attacks have been relatively infrequent. It is hard to say at
this time if this is an actual relative prevalence or if this is
due to the emerging deployments of sensors capable of
classifying and mitigating DNS attacks.
Botnets Are a Top Concern for ISPs
Botnets, a major problem identified by ISPs, continue to plague
the Internet. In fact, botnets are considered a growth sector
within the attacker underground, with new code bases, uses
and operators frequently appearing. For ISPs and network
operators, botnets represent a multi-faceted threat. First, they
remain a major source of DDoS attacks. Secondly, they have
become a serious source of spam email traffic, which burdens
the email processing infrastructure of all providers. Finally, the
scanning and attack activity of a large botnet can disrupt normal
network operations and cause outages. For all these reasons,
most ISPs are concerned with largescale malcode, most
commonly embodied in botnets.
Not surprising, much of this concern was corroborated by
respondents of the survey. When asked “What types of threats
are you most concerned with?” botnets and DDoS attacks
topped the list. The survey results were:
Primary Concerns: Twenty-nine percent of ISPs said botnets
and 24 percent said DDoS.
Secondary Concerns: Thirty-one percent said botnets and
20 percent said DDoS.
ISPs observed that botnets were used for:
• DDoS attacks (71 percent)
• Sending spam (64 percent)
• Parts of phishing systems (37 percent)
• Open proxies (34 percent)
• Storing ID theft information (16 percent)
• Other (6 percent)
According to survey respondents, these new botnets exhibited
the following characteristics:
• They were smaller but more targeted, effective and organized.
• They employed protected and deployed encryption, peer-peer
and MD05 SHA-1 counter reconnaissance.
• They were distributed in nature, making the attacks more com-
plicated and the location of the master controller more difficult.
Botnet Growth Patterns
Recent ASERT research shows that botnet server lifetimes
fall into a very specific pattern commonly referred to as a
long-tailed distribution. The data from this research clearly
indicates that most botnet servers—nearly 65 percent—are
found and disabled within the first day of their operation. This
suggests that there are very effective networks for gathering
information about new botnets and sharing it with the right
network or system operators. It is this communication that
leads to disabling the host with the botnet IRC server. Overall,
if a botnet is able to make it past the first day, it has a fair
chance of surviving for several months or more. Research also
shows that some botnets remain active for nearly a year. The
fact that known botnets can operate for this long should be
a call-to-arms for all ISPs.
Apart from a few bursts of activity, between 10 and 20 new
botnet servers are found every day. Factoring in the number of
such servers disabled daily, approximately 1500-1800 botnet
servers are currently active—a number that is slowly rising. This
trend is likely to continue as the number of IRC botnet servers
keeps growing for the foreseeable future.

Botconomics: The Underground Economy
of Botnets
There are many reasons for a miscreant to initiate a botnet
attack. Some attacks have religious or political motivation
behind them. Some are simply ego-driven as professional
hackers or script kiddies compete to see who can cause the
most damage by infiltrating the biggest and most secure sites.
With that said, the most serious attacks usually have financial
goals in mind. Extortion, stealing money from compromised
online bank accounts, luring innocent users to phishing sites,
the illegal use of stolen credit cards—these are common
results of botnet attacks. In fact, there is an underground
economy emerging to support the building, selling and buying
of botnet attack tools, an economy that Arbor Networks has
coined “Botconomics.™”
Botconomics is fueling the rapid growth of the botnet world.
The simple motivation behind the rise in botnets is money.
Years ago, hackers had to be technically savvy and know how
to write code to initiate an attack or create a botnet. Today,
they can buy and sell that code in online markets, which are
likened to traditional underground markets. In fact, there are
such online communities available to anyone who earns their
trust—usually demonstrated by getting a certain quantity of
stolen credit cards, bandwidth or email addresses to build
street credibility. ASERT has uncovered numerous sites
which boldly market their botnets and booty.
Here are some examples of common advertisements and
related costs:
Often these disreputable sites advertise their botnets via
discreet email campaigns. A recently discovered email touted
botnet servers that provided:
• Excellent ping and uptime
• Rotating IP addresses
• Different ISPs
• Intuitive user interface
• Online technical support
• SLAs: 100 percent uptime guarantee!
Botnets and attack code continue to evolve as the cat-and-
mouse game between hackers and security vendors reaches
new levels. Today’s hackers are even writing code to evade
current AV databases, disable auto-update functions and
evaluate botnet connectivity speed and availability.
4
.net Domain Names $0.05
nasa.gov Domain Names $0.05
Proxies $0.50 – $3
Credit Cards $0.50 – $5
Email Passwords $1 – $350
Email Addresses $2/MB – $4/MB
Compromised UNIX Shells $2 – $10
Social Security Numbers $5 – $7
Mailers $8 – $10
Scams $10/week
Full Identity $10 – $150
Bank Accounts $30 – $400
Item Range of Prices

5
Why is the number, frequency and intensity of infrastructure
threats rising?
Over the last three or four years, the hacker/miscreant
community has recognized that it is sometimes far more
effective to go after the infrastructure than the end systems.
So the attacker targets a particular Web site based on his
personal or financial motive. Maybe it’s a gambling or porn site,
an online bank or some other cyber community that hasn’t
bent to his wishes or paid his [extortion] demand. By actually
attacking the infrastructure, whether it be upstream routers,
upstream interfaces or even things like the routing protocols,
the attacker can be very effective in taking that institution off
the network. In fact, that is sometimes easier than trying to
attack an individual PC or workstation.
Managed security services is clearly a growth market.
Yet some enterprises may be reluctant to outsource their
security. Generally speaking, who is best positioned to
protect enterprise networks—the service provider or the
enterprise itself? Or is the ideal protection an approach
based on mutual cooperation between the two?
We are seeing a lot of interest in the latter. If the service
provider is your internal network, then it makes sense for
the service provider to offer internal security. In fact, there
are some things only the provider can do. For example, large
bandwidth attacks need to be blocked within the provider’s
network. So it does make sense for many of these services
to be offered in the cloud, where they can be scalable and
provided more effectively.
Are service providers and their customers to be relegated
forever to the reactive mode? Or will they at some point
be able to take the offense and go after would-be attackers
before they attack?
Just like in banking, security is crucial to service providers and
their customers. But I don’t walk into my local bank and worry
about whether there’ll be some type of event while I’m there.
I don’t worry about my money being safe in the bank. It’s not
that bank robberies don’t happen, it’s just that there’s enough
infrastructure in place that it’s not a daily concern. And I pay
for that as a consumer—for the doors, the vaults and all the
additional security. It just becomes part of daily life. It’s often
said about security that it’s always a trade-off with usability.
The Internet is no different.
Today, a large number of folks out there are paying for network
security features including DDoS protection, which most major
service providers offer. These security features are either built
into the basic price or there is a small additional fee. For the
most part, it’s mostly a solved problem—at least for the moment.
We aren’t seeing major sites like eBay, Yahoo! and Amazon
coming under attack today like we did back in 2000. But it’s a
cycle, like anything else. We’re entering a period of increased
risk now as ISPs deploy advanced new services, next-generation
networks, VoIP, convergence and other innovations—giving rise
to more sophisticated zombie armies along with increased bot
command and control. So the cycle continues.
Question & Answer Session
Dr. Craig Labovitz

6
Multiple Advantages of In-Cloud Security
As a result, it is imperative that ISPs have the proper level of
cost-effective, pervasive visibility into all network traffic in order
to ensure the optimized delivery of next-generation network
services. This visibility must penetrate all portions of an ISP
network (including its backbone, peering and transit points,
and customer aggregation edges) and cover all layers of the
communications stack (extending from the physical layer,
to routing and ultimately to the application-layer).
But pervasive visibility alone is not enough. ISPs also require
intelligent visibility into their networks in order to:
• Determine what’s “normal” versus “abnormal” network activity
• Conduct BGP route analytics for traffic engineering
• Identify the most cost-effective transit/peering relationships
• Analyze customer traffic for new service opportunities
• Detect and mitigate threats before they impact IP services
and customers
In this day and age when cyber-crimes and attacks require
little expertise, enterprises and ISPs are even more vulnerable
to Internet-based threats, such as botnet and DDoS attacks. It
also is becoming increasingly obvious that threat detection and
mitigation can only be done effectively—both from a cost and
performance perspective—from within the service provider’s
network. Such “in-cloud” security services can deliver multiple
benefits, namely:
Enterprise DDoS Protection
Enterprise customers continue to rely on their ISPs for
business-critical functions such as e-commerce, VoIP, B2B
connectivity, telecommuting and even back-end systems like
CRM (e.g., Salesforce.com). The disruption of these services
can have a major impact on business continuity. Many
enterprises are also beginning to realize that the high cost
and low effectiveness of some in-house security systems
do not make sense—specifically in the case of DDoS attacks.
Therefore, some enterprises are now taking a “layered” approach
and relying on their ISPs for in-cloud DDoS protection services
to detect and mitigate such attacks before they jeopardize
business continuity.
New Revenue Opportunities for ISPs
While some ISPs have looked at DDoS attacks as a curse,
others have seized the opportunity to differentiate themselves
and generate new revenue streams from managed security
services. In fact, according to Arbor Networks’ Worldwide
Infrastructure Security Report, Volume III, the number of
surveyed ISPs who offer managed security services jumped
from six in 2006 to 40 in 2007. Below are some examples
of in-cloud DDoS protection services being offered by
various service providers around the world today:
• Belgacom: Clean Internet Services
• British Telecom (BT): Managed DDoS Services
• Cable & Wireless: Anti-Distributed Denial of Service
and Secure Internet Gateway/DDoS Protection
• COLT: IP Guardian
• Rackspace: PrevenTier
• SAVVIS: Network-Based DDoS Mitigation
• TELUS: Managed DDoS Prevention
• The Planet: Peakflow® DDoS Detection
• Verizon Business: DoS Defense Detection and Mitigation
IP Service Assurance for ISPs
In-cloud DDoS detection and mitigation capabilities are not
only new managed service opportunities for an ISP, but they
also serve as network infrastructure protection systems that
help maintain the quality of business-critical services, such
as BGP routing, DNS and Triple Play. Specifically in the case
of Triple Play services, ISPs must maintain a minimum quality
of service (QoS) and reliable performance or risk losing their
customers to the competition. Botnet and DDoS attacks can
dramatically impact the performance and customer-perceived
quality of these services. It is imperative, therefore, that ISPs
have the means to provide in-cloud security services that can
quickly detect and mitigate network-based threats.
As botnets and DDoS attacks continue to increase in size, frequency and complexity, they
impact not only their target victims, but also the network infrastructure of ISPs that are,
unfortunately, the conduit for these attacks.

7
With their networks and services under
constant attack by an ever-growing rogue’s
gallery of spammers, phishers, bot herders
and other miscreants, service providers must
invest more and more resources to secure
their networks, reputations and profits.
To better understand and visualize complex networks,
advanced security solutions such as Peakflow SP (“Peakflow
SP”) use relational modeling to learn about a wide range of
relationships on the network. Rather than taking the traditional
approach of studying traffic only at a single point in the
network, these solutions build an internal model of normal
network conversations between/among many different
network participants, including customers, departments, partners,
peers or even the Internet as a whole. After determining the
“normal” state of network operations, these security solutions
apply various types of algorithms to detect any anomalies in
the network.
Built-in anomaly detection capabilities enable solutions
such as Peakflow SP to evaluate potential threats against
a service provider’s or enterprise’s unique network
baseline, virtually eliminating false alarms and making fast,
accurate determinations. In addition, because these solutions
are constantly learning, they do not require the same levels of
tweaking and configuration that characterize many networking
and security technologies. With extensive visibility, service
providers and large enterprises can make informed decisions
about whether they need to increase network capacity—or
whether they can delay infrastructure investments and lower
costs by recovering bandwidth on the existing network. Having
deep visibility into network resources also helps service
providers gain the insight needed for performing traffic planning,
making peering arrangements, conducting market-to-market
analyses and analyzing routing patterns.
Multiple Methods of Threat Detection
and Mitigation
The Peakflow SP platform is a comprehensive threat
management solution capable of detecting, mitigating and
reporting on many types of network threats. The Peakflow
SP solution has the ability to detect attacks based on the
following methods:
Misuse
Peakflow SP can be configured to detect high packet rates
for specific types of network traffic, such as DNS, ICMP, IP
fragments, IP null packets, TCP NULL, RST and SYN frames.
Many DDoS attacks utilize these vectors to saturate or bring
down circuits, servers or other IP services.
Abnormal Behavior
By profiling normal traffic levels, Peakflow SP can detect
anomalous traffic shifts in the network. Consequently, service
providers can detect availability threats before they impact a
customer’s service.
Attack Fingerprints
The Arbor Security Engineering and Response Team (ASERT)
conducts threat analysis on a global basis. One of the
by-products of ASERT’s research is attack “fingerprints.” These
fingerprints are the specific network behavioral patterns that
individual attacks exhibit on the wire. Once these fingerprints
are loaded into the Peakflow SP product, they become active
security policies and can alert network operations and security
personnel to violations.
BGP Hijacking
Sometimes referred to as “IP hijacking,” BGP hijacking is the
illegitimate take-over of groups of IP addresses by corrupting
Internet routing tables. BGP hijacking is sometimes used by
malicious users to obtain IP addresses for spamming or
launching a DDoS attack.
Dark IP Space Monitoring
Peakflow SP considers any traffic that it sees as destined for
unallocated dark space as malicious traffic. This traffic includes
IP addresses that might perform host and port scans. A signifi-
cant increase in dark IP traffic could indicate new malware,
worms or other threats propagating across the network.
The Best Defense: Anticipating and Mitigating Attacks

8
Once Peakflow SP detects an attack, the solution offers multiple
methods of mitigation, such as:
Access Control Lists
Peakflow SP can generate an access control list (ACL) for
an attack with unique characteristics that can be defined using
Layer 3-4 access controls. The ACL can then be manually
entered into key routers to mitigate an attack.
Black-Hole Routing
Peakflow SP can easily be integrated into the BGP routing
environment of any network. Peakflow SP can be configured
to conduct BGP black-hole routing or off-ramping for an attack
that must be dropped at the peering edge of the network. All
traffic to the destination host or network is null-routed or sent
to a next hop for inspection.
BGP Flow Spec
BGP flow spec provides a way to populate traffic filters
through the BGP control plane. Peakflow SP can leverage
routers with flow spec capabilities by transferring records over
a BGP session between Peakflow SP and the routing infra-
structure. ISPs can use flow spec to create a firewall or access
control type functionality to IP-reachable resources within the
network. This allows ISPs to surgically and dynamically provide
filters to specific routers in the network through well-known
control channels.
Third-Party Mitigation
Peakflow SP can be configured to off-ramp network traffic
to a filtering device. Currently, Peakflow SP only supports
Cisco Guard.
Fingerprint Sharing
One of the most unique features in the Peakflow SP solution
is something called “fingerprint sharing.” Fingerprints are net-
work behavioral patterns of known or emerging threats. These
fingerprints are created by ASERT and distributed to Peakflow
SP customers via a service called Active Threat Feed (ATF).
Since DDoS attacks can traverse multiple service provider
networks, Arbor created and helps facilitate an inter-service
provider group called the Fingerprint Sharing Alliance (FSA).
The FSA allows ISPs to easily share fingerprint information
with each other using their Peakflow SP products. The objective
is to stop the proliferation of attacks as close to their source
as possible. When a peer Autonomous System Number (ASN)
shares an attack fingerprint, ISPs can either accept the finger-
print or reject it. If ISPs accept the fingerprint, they can monitor
any alerts that generate from that fingerprint. This will reveal
any matches to the network behavioral traffic patterns seen
and reported by Peakflow SP. ISPs can then choose to
mitigate that traffic using the various mitigation techniques
that Peakflow SP makes available to them.
The Triple Threat to Triple-Play Success
Although the deepest possible visibility into network resources
has always been vital to service providers, it promises to become
even more so as ISPs migrate their networks to IP/MPLS-based
infrastructures and execute on their triple-play voice/video/data
strategies. In fact, service providers face a major threat to their
ability to deliver the triple play.
The above-mentioned mitigation techniques are quick, cost-
effective ways to stop an attack and/or reduce the collateral
damage associated with an attack. However, in many cases
these techniques also complete the attack by taking the target
address(es) offline. The best way to stop an attack is to remove
only the attack traffic while allowing the legitimate traffic to
continue to flow. This is often referred to as scrubbing or
surgical mitigation.
The Peakflow SP Threat Management System (Peakflow SP
TMS) augments the network-wide situational awareness of the
Peakflow SP platform with application-layer attack detection
and surgical mitigation.

The Peakflow SP TMS device is a critical and fully integrated
component of the Peakflow SP solution. Using deep packet
inspection (DPI), Peakflow SP TMS provides application-layer
insight, alerting and surgical mitigation. It enables service
providers to protect their networks from the full spectrum of
security threats, including botnets, DNS attacks, DDoS, worms,
phishing, spam and spyware-all from a single console. Other
key features of the Peakflow SP TMS device include:
Advanced Threat Countermeasures
Peakflow SP TMS can surgically mitigate threats using the
following application-layer countermeasures:
• White and Black Lists: Determine if specific hosts are allowed
(i.e., white listed) or not allowed to pass through the Peakflow
SP TMS device (i.e., put on a black list and scrubbed).
• Detailed Filters: Detect and block traffic that matches
user-defined details, such as host/destination IP addresses,
port numbers, TCP/UDP header flags, etc.
• HTTP Object and Rate Limiting: Detect and block traffic
coming from hosts that exceed user-defined thresholds for
the number of HTTP requests/second and HTTP objects
downloaded/second.
• Malformed Packets and DNS Authentication: Detect and
block traffic that is coming from hosts sending malformed
DNS requests, or when DNS authentication does not occur
in a specified time period.
• Idle Connection Timeouts and TCP SYN Authentication:
Detect and block TCP connections that remain idle for too
long, or cannot be authenticated by the Peakflow SP TMS
device within a specified timeout.
• Zombie Detection: Detect and block traffic from hosts that
exceeds a user-defined threshold for packets-per-second
(pps) or bits-per-second (bps).
• Baseline Enforcement: Detect and block traffic per managed
object (e.g., network interface) that exceeds the normal
packet rate or protocol distribution baseline as automatically
determined by the Peakflow SP system.
Packet Sampling
The Peakflow SP TMS device can conduct on-demand packet
capture and provide limited packet decode.
Stacking
Up to three Peakflow SP TMS 2700 devices can be stacked
together, forming a single logical unit that increases the total
mitigation capacity to 8 Gbps.
By fusing flow-based network intelligence with deep packet
processing, the Peakflow SP TMS device enhances the
networkwide visibility of the Peakflow SP platform with more
granular, application-level visibility, providing ISPs with
application-layer mitigation, security and reporting capabilities.
9

10
One of the current ISP trends is the rise
in capital expenditures (CapEx) and the
lowering of operation expenses (OpEx).
As capital is being spent on infrastructure
build-out and delivery of new services,
there is a keen eye on the bottom line.
Operating expenses and other costs are being kept to a
minimum in order to ensure that these products and services
are indeed profitable. Investments must solve multiple business
problems and align with company strategies. In other words,
purchased products must leverage as much of the ISP’s
existing infrastructure and human resources as possible.
Peakflow SP is just such a strategic investment. As it is
being used by network operations and security teams for
cost-effective, pervasive network visibility, routing/peering
analysis, traffic engineering and infrastructure security
(e.g., DDoS detection), it can simultaneously be used by
product managers to deliver new revenue-generating
services, in particular, DDoS protection services. That’s
because Peakflow SP has key features such as virtualization
capabilities, templates and APIs that allow service providers
to share and customize their services for multiple customers—
thereby lowering the total cost of ownership and increasing
profits. In fact, many of the previously mentioned managed
DDoS protection services utilize Peakflow SP and Peakflow
SP TMS products.
Managed DDoS Protection Services
Peakflow SP
Service Provider Enterprise
Powered by
Welcome to Arbor Networks’ Peakflow SP
Please Authenticate
Username
Password
P O W E R E D B Y
LOGIN
Figure 2: Through a customer-facing, secure Web portal, enterprise
customers can access reports and examine traffic patterns inside their
service provider’s network.
Source: Arbor Networks, Inc.
Web Portal

11
With DDoS attacks and other network
security threats on the rise, ISPs and large
enterprises are more vulnerable than ever
before. The Peakflow SP solution provides
cost-effective and pervasive visibility into
the network.
As a complete threat management solution, it enables ISPs
to protect their network infrastructures and IP services against
the full spectrum of security threats, such as DDoS attacks
and botnets. Simultaneously, Peakflow SP can serve as a
platform for service providers to offer new in-cloud managed
DDoS protection services to their enterprise customers.
Links to related products and services:
• Peakflow SP Data Sheet
• Peakflow SP TMS Data Sheet
• ATLAS™ Global Threat Intelligence
• Arbor Security Blog
Conclusion

Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300
Europe
T +44 207 127 8147
Asia Pacific
T +65 6299 0695
www.arbornetworks.com
©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks
Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of
Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
WP/IPSERVICES/EN/0612

A new way to prevent Botnet Attack

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a A new way to prevent Botnet Attack

Similar a A new way to prevent Botnet Attack (20)

Último

Último (20)

A new way to prevent Botnet Attack