Surgical Multi-Vector DDoS Protection
Ensuring availability of business services requires organizations to rethink how to build scalable DDoS defenses that can surgically distinguish attacker from user. Whether for financial, political, or other motivations, today’s attacks have evolved to include DDoS toolkits, weaponized IoT devices, online DDoS services, and more.
New threat vectors have changed the breadth, intensity and complexity of options available to attackers. Established solutions, which rely on ineffective, signature-based IPS or only traffic rate-limiting, are no longer adequate.
Detects and mitigates multi-vector DDoS attacks at the network edge and scales to defend against the DDoS of Things and traditional zombie botnets.
Unlike outdated DDoS products, this is built on A10’s market-proven ACOS platform that delivers scalable form factors and cost structures that makes economic sense with a complete mitigation, detection, and reporting solution.
When you need it the most A10 is ready to assist, A10 support provides 24x7x365 services, and includes the A10 DSIRT (DDoS Security Response Team), to help you understand and respond to DDoS incidents and attacks, and the A10 Threat Intelligence Service, to leverage global knowledge to proactively stop known bad actors.
- DDoS attacks are constantly evolving and attackers keep adapting attack strategies. Simultaneous infrastructure and application layer multi-vector DDoS attacks expose the weakest link in your network.
- The multi-tiered architecture offloads common attack vectors to specialized hardware, offloading the CPUs to focus on complex application layer attacks. Thunder TPS is proven to scale in the most demanding environments.
- IT provides full control to enforce protection policies that work for your specific services. Leveraging open standards and an open API allows IT to integrate in any network environment.
Case Study: Layer 3 Communications
When a major professional services firm wanted to offer its clients on-demand defense against modern multi-vector DDoS attacks, it found a solution in Thunder TPS. In this customer study you will learn how Layer 3 created a revenue stream and increased client stickiness by ensuring uptime during critical events.
Read the case study here.
Architectures
Reactive Mode
Larger networks benefit from on-demand mitigation, triggered manually or by flow analytical systems. TPS fits any network configuration (L2 and L3) with BGP and other routing protocols. This eliminates the need for any additional diversion and re-injection routers.
Proactive Mode
(Asymmetric or Symmetric) Proactive mode provides continuous, comprehensive detection and faster mitigation. This mode is most useful for real-time environments where the user experience is critical. TPS supports L2 or L3 inline deployments. L3 deployment eliminates the need for network interruption at installation or required maintenance windows.
Out-of-Band (TAP) Mode
The out-of-band mode is used when packet-based DDoS detection and monitoring is required.
Maintain Service Ability
Downtime results in immediate productivity and revenue loss for any business, but this product ensures service availability by automatically spotting anomalies across the traffic spectrum and mitigating multi-vector DDoS attacks.
Reduce Security OpEx
Thunder TPS is extremely efficient. It delivers high performance in a small form factor to reduce OPEX with significantly lower power usage, rack space and cooling requirements.
Defeat Growing Attacks
Thunder TPS protects the largest, most-demanding network environments. It offloads common attack vectors to specialized hardware, allowing its powerful, multicore CPUs to distinguish legitimate users from attacking botnets and complex application-layer attacks that require resource-intensive deep packet inspection (DPI).
Deploy Wartime Support
No organization has unlimited trained personnel or resources during real-time DDoS attacks. Thunder TPS supports five levels of programmatic mitigation escalation and de-escalation per protected zone. Remove the need for frontline personnel to make time-consuming manual changes to escalating mitigation strategies and improve response times during attacks. Administrators have the option to manually intervene and coordinate with A10’s DDoS Security Incident Response Team (DSIRT) at any stage of an attack.
Scalable Protection
Select hardware models benefit from our Security and Policy Engine (SPE) hardware acceleration, leveraging FPGA-based FTA technology and other hardware-optimized packet-processing for highly scalable flow distribution and hardware DDoS protection capabilities.
Detect and mitigate DDoS attacks of many types, including pure volumetric, protocol or resource attacks, application-level attacks or even IoT-based. Hardware acceleration offloads the CPUs and makes Thunder TPS particularly adept to deal with simultaneous multi-vector attacks.
Thunder TPS on-premise protection integrates with Verisign’s cloud-based DDoS Protection Services. The Verisign service is backed by global points of presence and multiple terabits per second of global capacity.
Apply highly granular, multi-protocol rate-limiting to prevent sudden surges of illegitimate traffic. Apply limits connection, defined by bandwidth packet rate.
Rich multi-protocol counters and behavioral indicators help Thunder TPS learn peacetime network conditions, enabling precise stateful or stateless detection of anomalies. Dynamic mitigation policies escalate suspect traffic through progressively tougher countermeasures to minimize legitimate traffic drops. SecOps and DevOps can leverage event-triggered scripts for increased operational agility.
Threat intelligence data from more than three dozen security intelligence sources, including DShield and Shadowserver is included with support, enabling Thunder TPS to instantly recognize and block traffic to and from known malicious sources. The service protects networks from future threats, blocks non-DDoS threats like spam and phishing, and greatly increases Thunder TPS efficiency.
Select Thunder TPS models have high-performance FPGA-based Flexible Traffic Acceleration (FTA) technology to detect and mitigate up to 60 common attack vectors immediately in hardware - before data CPUs are involved. SYN cookies validate client connection requests up to 440 million packets per second (Mpps). Thunder TPS enforces highly granular traffic rates up to 100 ms intervals.
Eight lists, each containing up to 16 million entries, may be defined to utilize data from intelligence sources, such as the A10 Threat Intelligence Service, in addition to dynamically generated entries of black/white lists.
Thunder TPS tracks more than 27 traffic and behavioral indicators and can apply escalating protocol challenges to surgically identify attackers from valid users for appropriate mitigation of up to 128 million concurrent tracked sessions. Complex application attacks (e.g., HTTP, DNS, etc.) are mitigated with advanced parallel processing across a large numbers of CPU cores. Embedded SSL security processors offload CPU intensive tasks, and mitigate SSL/TLS based attacks. Therefore, high-performance system-scaling is maintained, even for multi-vector attacks.
To protect entire networks with many connected users and services, Thunder TPS simultaneously monitors up to 64,000 hosts or subnets.
Detection and mitigation capabilities are extremely customizable. With 100% API programmability, SecOps and DevOps can leverage event-triggered scripts for increased operational agility. Thunder TPS also performs application-aware inspection on incoming packets and takes defined actions to protect the application. For example, the system can enforce limits on various DNS query types, apply security checks in many portions of the HTTP header or using regular expression (regex) and Berkeley Packet Filter (BPF) for high-speed pattern matching in policies.
With multiple performance options and flexible deployment models, Thunder TPS may be integrated into any network architecture of any size, including MPLS. And with aXAPI, A10’s RESTful API, Thunder TPS easily integrates into third-party detection solutions. Leveraging open standards like BGP Blackhole functionality, Thunder TPS mitigation integrates easily with any DDoS detection solution. Open APIs and networking standards support enable tight integration with other devices, including A10 threat detection partners, SDN controllers , and other security products.
Thunder TPS supports an industry standard CLI, on-box GUI and the aGalaxy management system. The CLI allows sophisticated operators easy troubleshooting and debugging. The intuitive on-box GUI enables ease of use and basic graphical reporting. aGalaxy offers a comprehensive dashboard with advanced reporting, mitigation console, and policy enforcement for multiple TPS devices.
Physical Appliances
A10'S Thunder Series line of hardware appliances fits a wide variety of networks with entry-level models starting at 2 Gbps and moving up to 300 Gbps high-performance appliances for your most demanding requirements.
HARDWARE SPECIFICATIONS |
Thunder 840 TPS |
Thunder 3030S TPS |
Thunder 4435 TPS |
Thunder 5435 TPS |
Thunder 6435 TPS |
Thunder 6635 TPS |
Thunder 14045 TPS |
Performance |
|
Throughput *1 |
2 Gbps |
10 Gbps |
38 Gbps |
77 Gbps |
152 Gbps |
152 Gbps |
300 Gbps |
Packets per second (Legitmate traffic) *1 |
1.5 Million |
5 Million |
22 Million |
22 Million |
55 Million |
55 Million |
150 Million |
Mitigation Performance |
|
Software based - SYN Auth (pps) |
1.5 Million |
5 Million |
22 Million |
22 Million |
55 Million |
55 Million |
150 Million |
Hardware based - HW SYN Cookie (pps) |
N/A |
N/A |
55 Million |
110 Million |
220 Million |
220 Million |
440 Million |
Hardware based - Anomaly flood blocking (pps) |
N/A |
N/A |
55 Million |
110 Million |
220 Million |
220 Million |
440 Million |
Maximum monitored sessions (Asymmetric deployment) |
3 Million |
16 Million |
32 Million |
64 Million |
64 Million |
64 Million |
128 Million |
Minimum rate enforcement interval |
100 ms |
100 ms |
100 ms |
100 ms |
100 ms |
100 ms |
100 ms |
Network Interfaces |
|
1 GE Copper |
5 |
6 |
0 |
0 |
0 |
0 |
0 |
1 GE Fiber (SFP) |
0 |
2 |
0 |
0 |
0 |
0 |
0 |
1/10 GE Fiber
(SFP+) |
2 |
4 |
16 |
16 |
16 |
12 |
0 |
40 GE Fiber
(QSFP+) |
5 |
6 |
0 |
4 |
4 |
0 |
4 |
100 GE Fiber |
0 |
0 |
0 |
4 |
0 |
4 (CXP) |
4 (CFP2 or QSFP28) |
The specifications and performance numbers are subject to change without notice, and vary depending on configuration and environmental
conditions.
*1 Throughput figures reflect traffic-forwarding capacity and are measured using legitimate traffic with DDoS protection enabled.