DDoS Protection

Thunder TPS
DDoS Protection & Mitigation

The world’s highest-performance DDoS protection solution, A10 Thunder TPS (Threat Protection System) detects and mitigates terabit-sized DDoS attacks at the network edge. It’s unmatched with an industry-leading 300 Gbps with 440 Mpps in a single appliance-offering up to 11 times the performance of legacy solutions.

  • Maintain Service Availability
  • Defeat Growing Attacks
  • Scalable Protection
  • Reduce Security OpEx
A10 Networks Thunder TPS DDoS Protection

Surgical Multi-Vector DDoS Protection

Ensuring availability of business services requires organizations to rethink how to build scalable DDoS defenses that can surgically distinguish attacker from user. Whether for financial, political, or other motivations, today’s attacks have evolved to include DDoS toolkits, weaponized IoT devices, online DDoS services, and more.

New threat vectors have changed the breadth, intensity and complexity of options available to attackers. Established solutions, which rely on ineffective, signature-based IPS or only traffic rate-limiting, are no longer adequate.

Detects and mitigates multi-vector DDoS attacks at the network edge and scales to defend against the DDoS of Things and traditional zombie botnets.

Unlike outdated DDoS products, this is built on A10’s market-proven ACOS platform that delivers scalable form factors and cost structures that makes economic sense with a complete mitigation, detection, and reporting solution.

When you need it the most A10 is ready to assist, A10 support provides 24x7x365 services, and includes the A10 DSIRT (DDoS Security Response Team), to help you understand and respond to DDoS incidents and attacks, and the A10 Threat Intelligence Service, to leverage global knowledge to proactively stop known bad actors.

  • DDoS attacks are constantly evolving and attackers keep adapting attack strategies. Simultaneous infrastructure and application layer multi-vector DDoS attacks expose the weakest link in your network.
  • The multi-tiered architecture offloads common attack vectors to specialized hardware, offloading the CPUs to focus on complex application layer attacks. Thunder TPS is proven to scale in the most demanding environments.
  • IT provides full control to enforce protection policies that work for your specific services. Leveraging open standards and an open API allows IT to integrate in any network environment.

Case Study: Layer 3 Communications

When a major professional services firm wanted to offer its clients on-demand defense against modern multi-vector DDoS attacks, it found a solution in Thunder TPS. In this customer study you will learn how Layer 3 created a revenue stream and increased client stickiness by ensuring uptime during critical events.

Read the case study here.

Layer 3 DDoS Case Study


Reactive Mode

Reactive Mode Architecture

Larger networks benefit from on-demand mitigation, triggered manually or by flow analytical systems. TPS fits any network configuration (L2 and L3) with BGP and other routing protocols. This eliminates the need for any additional diversion and re-injection routers.

Proactive Mode

Proactive Mode Architecture

(Asymmetric or Symmetric) Proactive mode provides continuous, comprehensive detection and faster mitigation. This mode is most useful for real-time environments where the user experience is critical. TPS supports L2 or L3 inline deployments. L3 deployment eliminates the need for network interruption at installation or required maintenance windows.

Out-of-Band (TAP) Mode

Out of Band Mode

The out-of-band mode is used when packet-based DDoS detection and monitoring is required.

Maintain Service Ability

Downtime results in immediate productivity and revenue loss for any business, but this product ensures service availability by automatically spotting anomalies across the traffic spectrum and mitigating multi-vector DDoS attacks.

Reduce Security OpEx

Thunder TPS is extremely efficient. It delivers high performance in a small form factor to reduce OPEX with significantly lower power usage, rack space and cooling requirements.

Defeat Growing Attacks

Thunder TPS protects the largest, most-demanding network environments. It offloads common attack vectors to specialized hardware, allowing its powerful, multicore CPUs to distinguish legitimate users from attacking botnets and complex application-layer attacks that require resource-intensive deep packet inspection (DPI).

Deploy Wartime Support

No organization has unlimited trained personnel or resources during real-time DDoS attacks. Thunder TPS supports five levels of programmatic mitigation escalation and de-escalation per protected zone. Remove the need for frontline personnel to make time-consuming manual changes to escalating mitigation strategies and improve response times during attacks. Administrators have the option to manually intervene and coordinate with A10’s DDoS Security Incident Response Team (DSIRT) at any stage of an attack.

Scalable Protection

Select hardware models benefit from our Security and Policy Engine (SPE) hardware acceleration, leveraging FPGA-based FTA technology and other hardware-optimized packet-processing for highly scalable flow distribution and hardware DDoS protection capabilities.

Detect and mitigate DDoS attacks of many types, including pure volumetric, protocol or resource attacks, application-level attacks or even IoT-based. Hardware acceleration offloads the CPUs and makes Thunder TPS particularly adept to deal with simultaneous multi-vector attacks.

Thunder TPS on-premise protection integrates with Verisign’s cloud-based DDoS Protection Services. The Verisign service is backed by global points of presence and multiple terabits per second of global capacity.

Apply highly granular, multi-protocol rate-limiting to prevent sudden surges of illegitimate traffic. Apply limits connection, defined by bandwidth packet rate.

Rich multi-protocol counters and behavioral indicators help Thunder TPS learn peacetime network conditions, enabling precise stateful or stateless detection of anomalies. Dynamic mitigation policies escalate suspect traffic through progressively tougher countermeasures to minimize legitimate traffic drops. SecOps and DevOps can leverage event-triggered scripts for increased operational agility.

Threat intelligence data from more than three dozen security intelligence sources, including DShield and Shadowserver is included with support, enabling Thunder TPS to instantly recognize and block traffic to and from known malicious sources. The service protects networks from future threats, blocks non-DDoS threats like spam and phishing, and greatly increases Thunder TPS efficiency.

Select Thunder TPS models have high-performance FPGA-based Flexible Traffic Acceleration (FTA) technology to detect and mitigate up to 60 common attack vectors immediately in hardware - before data CPUs are involved. SYN cookies validate client connection requests up to 440 million packets per second (Mpps). Thunder TPS enforces highly granular traffic rates up to 100 ms intervals.

Eight lists, each containing up to 16 million entries, may be defined to utilize data from intelligence sources, such as the A10 Threat Intelligence Service, in addition to dynamically generated entries of black/white lists.

Thunder TPS tracks more than 27 traffic and behavioral indicators and can apply escalating protocol challenges to surgically identify attackers from valid users for appropriate mitigation of up to 128 million concurrent tracked sessions. Complex application attacks (e.g., HTTP, DNS, etc.) are mitigated with advanced parallel processing across a large numbers of CPU cores. Embedded SSL security processors offload CPU intensive tasks, and mitigate SSL/TLS based attacks. Therefore, high-performance system-scaling is maintained, even for multi-vector attacks.

To protect entire networks with many connected users and services, Thunder TPS simultaneously monitors up to 64,000 hosts or subnets.

Detection and mitigation capabilities are extremely customizable. With 100% API programmability, SecOps and DevOps can leverage event-triggered scripts for increased operational agility. Thunder TPS also performs application-aware inspection on incoming packets and takes defined actions to protect the application. For example, the system can enforce limits on various DNS query types, apply security checks in many portions of the HTTP header or using regular expression (regex) and Berkeley Packet Filter (BPF) for high-speed pattern matching in policies.

With multiple performance options and flexible deployment models, Thunder TPS may be integrated into any network architecture of any size, including MPLS. And with aXAPI, A10’s RESTful API, Thunder TPS easily integrates into third-party detection solutions. Leveraging open standards like BGP Blackhole functionality, Thunder TPS mitigation integrates easily with any DDoS detection solution. Open APIs and networking standards support enable tight integration with other devices, including A10 threat detection partners, SDN controllers , and other security products.

Thunder TPS supports an industry standard CLI, on-box GUI and the aGalaxy management system. The CLI allows sophisticated operators easy troubleshooting and debugging. The intuitive on-box GUI enables ease of use and basic graphical reporting. aGalaxy offers a comprehensive dashboard with advanced reporting, mitigation console, and policy enforcement for multiple TPS devices.

Physical Appliances

A10'S Thunder Series line of hardware appliances fits a wide variety of networks with entry-level models starting at 2 Gbps and moving up to 300 Gbps high-performance appliances for your most demanding requirements.

840 TPS
3030S TPS
4435 TPS
5435 TPS
6435 TPS
6635 TPS
14045 TPS
Throughput *1 2 Gbps 10 Gbps 38 Gbps 77 Gbps 152 Gbps 152 Gbps 300 Gbps
Packets per second (Legitmate traffic) *1 1.5 Million 5 Million 22 Million 22 Million 55 Million 55 Million 150 Million
Mitigation Performance  
Software based - SYN Auth (pps) 1.5 Million 5 Million 22 Million 22 Million 55 Million 55 Million 150 Million
Hardware based - HW SYN Cookie (pps) N/A N/A 55 Million 110 Million 220 Million 220 Million 440 Million
Hardware based - Anomaly flood blocking (pps) N/A N/A 55 Million 110 Million 220 Million 220 Million 440 Million
Maximum monitored sessions
(Asymmetric deployment)
3 Million 16 Million 32 Million 64 Million 64 Million 64 Million 128 Million
Minimum rate enforcement interval 100 ms 100 ms 100 ms 100 ms 100 ms 100 ms 100 ms
Network Interfaces  
1 GE Copper 5 6 0 0 0 0 0
1 GE Fiber (SFP) 0 2 0 0 0 0 0
1/10 GE Fiber (SFP+) 2 4 16 16 16 12 0
40 GE Fiber (QSFP+) 5 6 0 4 4 0 4
100 GE Fiber 0 0 0 4 0 4 (CXP) 4 (CFP2 or QSFP28)

The specifications and performance numbers are subject to change without notice, and vary depending on configuration and environmental conditions.
*1 Throughput figures reflect traffic-forwarding capacity and are measured using legitimate traffic with DDoS protection enabled.