Arbor DDoS Reviews

We are not using it in our organization. I'm working for a system integrator, and we have implemented this solution for our customers. Our customers use it as the out-of-path DDoS protector and to reroute the traffic through BGP to TMS to clean the traffic and put back the clean traffic.

Reporting is quite good. There are several pages of reporting on DDoS attacks, and you can find all the details that you need.

It's quite good out-of-path equipment. It works fine automatically for out-of-path.

There should be an automatic way to configure it to monitor traffic and decide which is an attack and which is not. In Arbor, you need to tweak and set all parameters manually, whereas in Check Point DDoS Protector, you can select the lowest parameters, and over the weeks, Check Point DDoS Protector will learn the traffic and you can then tighten some of the parameters to decide which traffic is regular and which is malicious. Arbor needs to be much more adjustable like Check Point.

I don't use it in-line. I know that they have equipment for in-line protection for DDoS, but it takes many hours to configure the traffic, and it needs to be constantly monitored. It's not as usable as Check Point. For in-line, the configuration takes too long. You need to dedicate one person to work with it full-time, and usually, customers are not willing to do that.

We have been using Arbor DDoS for the last two years. 

It's quite stable. Similar to Check Point, there is no problem with stability in the new version. I'd rate it a nine out of ten in terms of stability.

It's quite scalable. It's easy to implement more equipment. I'd rate it a seven out of ten in terms of scalability.

It's more complex than Check Point, and it depends on the topology and what customers need. I'd rate it a three out of ten in terms of ease of setup. All of its deployments are on-premises.

I don't deal with the pricing, but it seems that you need to get basic support in order to upgrade the software and implement some patches.

As an out-of-path DDoS protector, it's quite good. I don't have any experience with in-line, but I saw that it's necessary to have one person to comfortably work with it. For out-of-path DDoS protection, Arbor DDoS would be a better solution. For in-line DDoS protection, Check Point DDoS Protector would be a better solution.

Overall, I'd rate Arbor DDoS an eight out of ten.

We use this solution to protect our infrastructure. 

The solution is stable and scalable. 

Licensing costs could be reduced. 

We've been using this solution for close to 18 months. 

The solution is stable. 

The solution is scalable, we have 3,000 users. 

The initial setup is easy, it takes a couple of minutes. 

There is an annual license fee with the cost dependent on requirements. 

I recommend this solution and rate it nine out of 10.

My company is a quad-play operator service provider in Malta. We use it for our own internal infrastructure and clients, where we use both always-on and on-demand.

Our partner has an in-house deployment and can upload it to the cloud as well. This helps to minimize the costs. With in-house deployment, the cost will increase significantly. So, this hybrid approach is advantageous.

When there was an attack, the attack was contained only on the IPs under attack. The rest of the network was not impacted, and that is the most important part.

The solution has helped consolidate visibility and the actions that we have needed to take. Based on the reports which can be generated, one can be in a better position to mitigate and find alternatives when there is an attack. At the same time, we can limit impact on both the attacked IP ranges and customers as well as other services.

Arbor DDoS has helped us achieve our network and application uptime requirements. Uptime has improved.

Arbor provides a full solution. They provide: 

• The possibility of alarm triggering based on flow packets. 
• Always-on and on-demand
• Implementation of BGP Flowspec. 
• Implementation with their cloud system.
• Good reporting. 

When it comes to some false positives, we need to tweak the system from time to time. There is room for improvement when it comes to the actual mitigation because of some false positives.

I have been using it for more than 10 years now. The solution has changed names over the years. The Arbor suite has evolved a bit over the years, so now we are using Sightline. In the past, it was called Peakflow.

It is quite stable.

The scalability needs to handle going horizontally, apart from the cloud, rather than replacing boxes.

Initially, the solution was not that mature. It has evolved and scaled better over the years.

Being a service provider on a small island, our environment is small in scale. Our network is small compared to other operators. We have 20 users internally: our NOC, IP team, and commercial team.

It took three months once our agreement was done.

Our partner implemented and maintains the system. We use the system to activate mitigation, generate reports, and do some changes. It is self-service, so we are empowered to manage the system.

We rely on third-party deployment. From this third-party and how they interconnect with us, there will always be some tweaking in relation to understanding which links to use and how to avoid possible loops. 

We are also looking to implement BGP Flowspec, which is not yet available because we are not exactly interfacing directly with the Arbor platform, but via separate routers that we interface.

When it comes to DDoS, we are saving by not losing money or clients. Like any insurance, you cannot really quantify it, but you need to have it.

Attacks are getting bigger and bigger. The cost to have proper DDoS mitigation is once a year insurance. It is getting too large to be sustainable. This is not just related to Arbor. DDoS mitigation is more expensive every year.

You need to find a way to get a good offering from Arbor by negotiating a price. That is the challenge. 

See if it is possible to scale using the cloud service.

With respect to the competition, I think that Arbor Sightline reporting is cutting-edge. It is significantly more robust than what the other competitors have, such as, Corero, Radware, and Voxility.

When it comes to the other suppliers, like Corero, Voxility, and Radware, they have automatic mitigation. This will auto-tune to attack changes. With Arbor DDoS, it needs manual intervention. To be fair, I am not sure if that is just our implementation, but that is our understanding for now. 

Another point is how to handle HTTPS encrypted traffic. On that front, there are some options from other vendors to handle HTTPS without the need to install the certificate, where Arbor might need to do some further development there.

With other vendors, you might need third-party software for NetFlow or reporting. In my experience, this is what differentiates Arbor DDoS from the rest.

Overall, I would rate this solution as an eight (out of 10), the reporting as a 10 (out of 10), and the mitigation as a five to eight (out of 10).

As an operator, we use Arbor antiDDoS system to protect our backbone, protecting the network and our assets like DNS.I'm involved in the validation and testing of the solution. 

The solution is installed in our lab, with a simulated full network. We can send some regular traffic as well as DDOS traffic, using some testing tools like IXIA system and opensource tools. 

For testing, we simulate some regular traffic, as background traffic, and we added some attacks on the network with attack tools. We can monitor what's sent to the network, and we can monitor what's received by the victim. In this case, we can assess which part of the attack was stopped by the system.

Arbor DDoS helps consolidate visibility on traffic and on DDOS attacks attempts. It can perform direct mitigation action on the network, which is important. It has also helped us achieve our network and application uptime goals.

I like all the features together as a whole. It's a global solution that fits our needs. Detection is really important for us—the ability to trigger mitigation with TMS and the quality of mitigation.

What is also really important is to directly engage in mitigation on network elements, such as routers or switches, in addition to TMS mitigation. The capacity of the mitigation and the capacity to distribute mitigation on the routers are important. Using this solution as a hybrid approach to DDoS protection is an advantage. It's an important tool for managing the natural quality of service. We're quite confident about the solution and the evolution.

I think Arbor DDoS should be more open to other systems, in the sense of coordination between mitigation centers, like for example the capacity to ask the upstream transit provider for mitigation.

Netscout's Arbor allows it, but between Arbor systems only. It should be more open to Third party systems, that's what I mean by "openness" : evolution from Netscout signaling protocol to standardized DOTS protocol (DDOS Open Threat Signaling)

Implementation could also be improved regarding distribution of mitigation directly on network elements.

I've been using Arbor DDoS for testing for about a year.

Arbor DDoS is stable and robust, as seen during testing phase and with feedback from the field.

According to the operational team, there are few tickets open on the Netscout/Arbor site, but I don't have a precise figure, as I'm only involved in testing phase.

Arbor DDoS is scalable, both horizontally and vertically. It has good visibility making things quite obvious. There are some price issues with scalability, but technically speaking, the solution is fully scalable.

Technical support was knowledgeable and responsive.

The initial setup is quite complex. It isn't easy to do the configuration, but it's okay once it's done. Arbor's implementation strategy was to monitor first and provide all the configuration or the correct profiling for this system after it's considered safe.

NETSCOUT's team deployed our solution.

Arbor DDoS is quite expensive, especially for the TMS mitigation part

We compared it with others actors in antiDDOS domain, such as Nokia Deepfield and others. There are some differences, but generally, the logic is the same.

Arbor Networks, vendor of the solution, has been in DDoS visibility protection for more than ten years, which affected our decision to go with it. We assessed the company's stability (acquired by Netscout), which was part of the decision.

I would advise potential users to try the NETSCOUT Arbor DDoS system but also to check on other solutions.

On a scale from one to ten, I would give Arbor DDoS a seven.

It is our ISP, from where we get our internet traffic. We just send it to them and if anything is suspicious or there is some malicious traffic, we talk to them about what kind of traffic it is. If some machine or some router is being attacked by a malicious user, we try to find out the source IP and why this traffic is coming to us. The Arbor solution is deployed on their premises. We just ask them to control or just stop that traffic. They do the filtration. They provide us all the required details to mitigate an attack on any particular machine.

Arbor DDoS is a quick solution when you have identified some of the originating suspicious IPs from which you are getting traffic in your network. If you have identified that some of the email gateways, or any of your web applications, or any of your routers are being attacked, it is effective. You can ask your ISP to block such queries. If the originating IPs are dynamic, it is a little bit difficult for them to identify and block the traffic, but to a certain extent you can minimize the DDoS attack impact with this solution.

In application layer DDoS attacks, it suggests the actions that should be taken. But at the network layer, you can simply block the originating traffic IP and block the port instantly. It depends on how proactive you are and how effective your incident response team is. Once traffic has started on any of your machines, it can be very difficult to manage it, but you can minimize the impact of malicious traffic with the Arbor tool.

The most valuable features include the traffic categorization and control of the traffic. The filtering of the traffic is very precise. When you want to stop some traffic, you precisely stop that traffic.

On the application layer, they could have a better distributed traffic flow. They could improve that a bit. For network data it is very effective, but the application layer can be improved. In today's era, attackers are also developing their skills. Daily, new threats are coming into the environment.

I've been using Arbor DDoS for almost seven years. I am the cyber security architect in our company and we have a SOC manager. We work together as a team and we are the only two people who use it. 

We do have a team and they instantly contact the ISP if any malicious source IP has been detected. It has been about six months since we have faced an incident in which we had to reach out to our ISP to block some traffic. We then isolated that machine later on. We instantly blocked that port and signature file. Our SOC team works on the operations part.

The stability of Arbor DDoS is excellent, whether it is hardware or software stability. Whatever rules are set up inside, it's excellently developed and it excellently manages your good and malicious traffic.

In terms of scalability, it's also excellent. DDoS attacks are not very scalable, but compared with other tools, in terms of mitigating those non-scalable DDoS attacks, it is better. In that way, Arbor is scalable. It is very effective when it comes to mitigating or dealing with DDoS attacks.

We have four SOCs deployed here, and my SOC has one lakh EPS (event per second) capability. It is a big network and we use the biggest telecom operator in India. We just deal enterprise and telecom traffic.

The support is fine. The ISP team works directly with the Arbor team, so they would have a better idea about that part, but from what I know the support is excellent.

We don't have the Arbor solution deployed on-premises. It's with the ISP, so I wasn't involved in the setup or the implementation.

Arbor is the most effective solution, when compared with other tools. Although I only have experience with Arbor, I have read a lot about other tools. Today, attackers are developing their skills like anything. When some of your workstation IPs are hacked, or some of your application vulnerabilities are exposed, Arbor solutions are very much effective. Although you may have very limited competency or tools to deal with today's DDoS attacks, Arbor is effective.

Arbor is very precise as far as network layer traffic monitoring and control are concerned, but in my opinion EDR is a better solution when it comes to the application layer and DDoS. Arbor has its modules but EDR is a better solution to mitigate the application layer DDoS attack.

Arbor's hybrid approach to DDoS protection is both an advantage and a disadvantage. Sometimes it is not able to filter traffic adequately because of the hybrid approach. It only takes action after a bit of time. It starts acting on malicious traffic a little bit late because of the hybrid approach. On the other hand, after seeing all the aspects, the analysis is sensible and perfect. So it depends on from which side we look at this feature.

Network layer DDoS attacks are absolutely big. DDoS attacks cannot be mitigated instantly, it takes time. You have to be very aware of your network and about which machine an attack has reached, and what the network architecture is. All those aspects are responsible for the impact of DDoS attacks. Arbor is not absolute but, comparatively, I find it to be an effective solution.

Overall, it's a great product. It is a very effective product in terms of dealing with DDoS attacks, whether it is network layer attacks or application layer attacks. But it is better in network layer DDoS attacks. It is among the best.

Using the Arbor SP Insight allows the detection of DDoS attacks coming in from upstream internet providers. The system provides a central analysis to detect DDoS attacks and allow reporting on internet traffic. This along with the TMS physical off-ramp mitigation platform allows us to redirect the inbound attack traffic via BGP. The offramp TMS effectively separates attack traffic from the main path used during normal operation. The system provides attack mitigation for both internal infrastructure and downstream customer services.

Prior to deploying the Arbor solution, DDoS mitigation involved creating ad hoc packet filters to block the malicious traffic during event. These were difficult to apply because getting the detailed match information during an event was problematic. The traffic monitoring systems we had in place did not always have the necessary detail, nor was the attack traffic patterns readily identifiable as malicious. And then the nature of the attacks did not always allow for blocking filters to apply only to malicious traffic. Arbor has made the whole process simpler. 

The ability to correlate Arbor managed objects with internet services deployed accurately profiles traffic and makes coordinating appropriate mitigation response simple. The reporting on both alerts and mitigations provides both detailed and visually pleasing reports.

Using standard BGP, NetFlow and SNMP ensure wide compatibility. There are also peering traffic reports that can help identify upstream peering opportunities. The ATLAS aggregation service allows us to contribute to the global DDoS data and benefit from overall trends.

Arbor also allows us to create upstream remote triggered blackhole requests via BGP communities assigned from our upstream carriers. We can have the flexibility to trigger an individual or all carriers for each /32 advertisements. The system also allows us to use BGP flow spec to apply blocking filters at our routing edge nodes.

The upgrade process is mildly complex requiring treatment of the custom embedded OS separately from the application. The correlation of the underlying OS to the application version can be easily missed.

Linking the white list designation on managed objects into the alert detection mechanism would be a welcome improvement. Currently, white lists to prevent dropping any traffic on important resources only apply to the mitigation process.  If the white list could be used during alert detection this would prevent some false positive alerts that are coming from these known good sources.

I have been using Arbor DDoS protection for over 8 years across two employers one a large scale enterprise network with dual data centers and 4 ISP upstreams and the second a regional service provider with multiple tier-one upstreams and internet exchange connections.

Arbor technical support is painless. Support requests at any hour are serviced quickly with an engineer that is very familiar with the platform details. The one RMA from hardware failure that I had to process went through immediately for our next business day delivery.

We use the product for DDoS settings to prevent malware attacks.

The product allows us to check real-time progress, including latency and network activities.

The product could have end-to-end platform visibility, including connectivity and bandwidth, similar to Cisco.

We have been using Arbor DDoS for seven or eight years. At present, we use the latest version.

The product is very stable.

It is a scalable product. Its scalability depends on the bandwidth. It manages around 50,000 internet banking customers.

The technical support services are excellent.

The initial setup is easy. It involves configuring network connectivity, including public IP addresses and firewall/router configurations. It requires setting up security rules or access controls on Arbor to control which traffic is allowed through. It's important to ensure that traffic from the Internet has a few diversions before reaching the firewall. It takes approximately six hours to complete. The system needs to take a downtime for maintenance. It requires around 13 minutes to complete.

The product’s availability and support services are good. I rate it a ten out of ten.

We use it to protect websites, usually. But it's hosted in our network, our infrastructure, and the company websites as well. We are an ISP company and we provide internet services and other services to companies, like banks, etc. Part of our services is DDoS protection.

We are the ISP for government websites here in Saudi Arabia. We had a lot of attacks on those sites. The way we mitigated those attacks was by asking the people who are hosting the website about the features they were using for the websites. They specified two of the ports, and they said we're not going to allow any other port, any other service apart from these two services. We allowed the websites to be accessible through those two ports only. We blocked everything else. This was four years ago and everything has been smooth ever since.

We have a monitoring team here, which is on watch 24/7. The monitoring part is very easy with this solution.

Our customers are very happy when we provide them with the interface. We give them read-only privileges and they can review the results by themselves. They can check how many attacks they have faced and how many attacks have been blocked. That is a very valuable feature offered by Arbor DDoS.

We can also give them more privileges. They can do some tweaking according to their own systems. If they have a database running or if they have a website, they can tweak the features themselves.

Because we had some routers that were somewhat old, they were not integrated with Arbor. They did not support the NetFlow version that Arbor was running. That was a challenge. We had to upgrade the routers. Some backward-compatibility would be helpful.

The deployment is okay, stable. But when you are manipulating the countermeasures, that is the difficult part. You have to be very careful, and you have to be sure that these countermeasures will kick in when needed, that they're going to work.

We have to customize the countermeasures for each customer. That is a real challenge. We should be reviewing them every month. They might be changing their services, they might be using different ports. We have to keep asking our customers, "Okay what are you running now? What are you using now? Which port are you running now?" so that we know what to expect. We need to know which traffic would be legit and which traffic is illegitimate so that we can block the illegitimate traffic without mistakes. We don't want to block the real traffic. There is a feature in Arbor called auto-learning. We can run that and it will help us. But at the end of the day, it's for us to decide what to allow.

You cannot rely on auto because, for example, if you're running auto-learning, and the services have been running on 80, and all of a sudden it switches to 443, it will keep on blocking. You have to expect what's coming. You cannot rely on auto. Human involvement is always necessary.

If the network is expanding, of course, we would expect to need to add more equipment. We would need to expand our solution.

We had two customers from the government which came in, and they are super-important. Their services cannot go down. We had another solution from Arbor called Pravail. We had that installed for those two customers specifically. Their expected traffic is almost 8 MB, and their throughput is 12 MB. Any noise or malformed packets or out-of-sequence packets get filtered by the Pravail Solution. The bigger attacks will be handled by the TMS, the Threat Mitigation System.

Scalability is not a problem for Arbor.

Technical support is really good. ATAC has been good with us. We haven't had any problem contacting them or getting them engaged in our activities. For example, sometimes we need to customize the portal banner. For that, they have been helpful.

This is our first DDoS solution.

The initial setup is kind of complex because it requires peering. We have to design it from scratch, which makes it a little bit complex. It depends on whether we want to get it inline or if we want to apply offloading, and whether the company can afford a TMS of its own or we need to send traffic to a remote TMS, hosted by Arbor itself.

The last deployment I was involved in took almost a month-and-a-half, with another 15 days for documentation.

It took about eight to 12 people to get the deployment operational. We had people from the core who were engaged with us for the integration and bringing up the systems. After that, we had to hire some fresh resources, because, honestly, it's a new product and it's not very common. We can't really find experienced people for DDoS.

It was not much of a challenge when we were developing it and when we were deploying it because we had a resident engineer who was planning everything, who was leading everything. But after that, when we were mitigating the attacks, there were challenges because we didn't have experienced people over here and the attacks were coming day and night, 24 /7. I had to come to the office after midnight and at midday. 

But now, the system stable and the people that I'm managing are more experienced. They know stuff and it's pretty smooth now.

We engaged Arbor itself. We had a resident engineer from Arbor who came here and deployed the system. He was here for a month more for support and for any types of issues that we faced.

Go for it. It's one of the best solutions you can get for DDoS. It doesn't matter what services you're going to use. As long as you have the whole solution, the TMS and everything in-house, it's the best solution.

We have a team of 12 to deploy and monitor the solution; we have three shifts running around the clock. They monitor the system alerts. They monitor the websites using the controls that we have to protect the clients. If one of them catches an attack, there is a high-alert flag and we focus on the attack to see if it has been mitigated or not. If it needs anything, if it needs some tweaking, we have two resources on each watch, a senior resource and a junior. The junior one keeps on monitoring. The senior one comes in whenever there is something to correct or if something needs to be changed in the system.

For ISPs, Arbor DDoS would be the best solution. For smaller organizations, we can buy the services from Amazon for DDoS protection, and there's Cloudflare. But for ISPs, it's better to have Arbor DDoS because we have everything in-house. ISPs like ours have almost 120 gig bandwidth. For throughput, it's the best one.

We don't have plans to increase usage currently because when we brought the solution four years ago, we measured it a lot. We bought more than what we needed. The plan is to improve the human operability on the system itself. Things look smooth, but you cannot rely on two or three people. We have to have redundancy in the human workforce. We're planning to expand the team so that we don't need to hire any fresh resources and train them from the start. These services are very expensive and our customers are expecting a perfect solution.