What is our primary use case?
We use it for DDoS mitigation. First of all, we decided that outsourcing it or putting it out into the cloud was just too expensive, so we decided to build our own scrubbing center rather than outsource it to somebody else. We use it to protect against DDoS attacks.
How has it helped my organization?
Availability is absolutely critical to our business. We get attacked two and three times a day at times. Without it we'd be hamstrung, bandwidth-wise.
Although the attacks happen every day, they're not a big deal anymore because the mitigation takes care of it. But in the past, before we had the solution in place — there are other components to it beyond just the A10; the A10 is just the mitigation piece of our DDoS protection scheme. But before this whole solution was in place, it used to take two or three engineers half an hour to figure out how to mitigate an attack. Now, it's pretty much zero. We get an attack, we get an e-mail saying, "Hey, there's an attack underway." The systems that are in place redirect it to the A10, the A10 scrubs the traffic and it's not such a big deal anymore.
In terms of how much it has increased availability, being that we get attacked two or three times a day, with some of them we probably we wouldn't really know they were happening. But some of them would take us to our knees. We've never really measured it. We're a service provider in the Northeast region, so we've got lots and lots of bandwidth. It has helped a lot, but I couldn't put a number on it because we're always up.
In terms of small attacks we were getting but missing prior to having Thunder TPS, we're over 200 Gig in the backbone now, but we never saw a lot of those little, what I call "squirt-in-the-eye" attacks before. We had a 50-Meg customer out there that was getting DDoS'ed at a 100 Meg. We would've never seen that before. We would have never mitigated it. The customer would have called and said, "Hey, my circuit's down," and we would have looked at it and spent time trying to figure out what's up with the circuit. Then somebody would have looked at their bandwidth charge and said, "Oh, you're maxed," and the customer wouldn't understand why they were maxed. Now, the DDoS solution we put in place sees those small attacks, mitigates them, and the customer never calls.
It has absolutely made a big difference for our customers. DDoSes are happening every moment of the day. We just never know who we're protecting from a given attack or why, but it just happens automatically and we don't really worry that much about it any longer.
What is most valuable?
All it does is mitigation. It mitigates and scrubs bad traffic. We send the bad traffic to it, it determines the good traffic and allows the good traffic to come through. That's the only feature we use on it, the DDoS mitigation.
Given its 1RU form factor, the performance has been excellent for us so far. What they said was that it is about 38.5 Gig of throughput. We've not really hit that yet, we haven't tested the extremes, but so far it's doing well and we haven't had any performance issues.
The response time to an attack is instant. We've used some outsourced solutions in the past, out in the cloud, that weren't so quick. But it's all within our control now. We control how fast it mitigates.
For how long have I used the solution?
We've been using it for about a year-and-a-half.
What do I think about the stability of the solution?
We have 100 percent uptime.
What do I think about the scalability of the solution?
We haven't found that it's helped us to scale defenses because we have pigeonholed it to do one thing and that's DDoS. So it hasn't helped us scale but it's helped us retain customers who otherwise probably would have been angry and left us, thinking it was our fault that they got DDoS'ed. But defense scale-wise, no. Although we're still scaling up like crazy, it's not due to this DDoS product whatsoever.
We haven't experienced any issues with performance. But again, we haven't put that much traffic on it yet. I'm sure it's coming. I'm sure, some day, we'll get a DDoS attack that's more than 40 Gig and then we'll have an answer for how it scales.
How are customer service and technical support?
Their tech support has been excellent. Every time we've had to call them they have been very responsive and always fixed our problem within minutes. It's been excellent so far.
I believe the last issue we had to contact them about was just a question of a false-positive. The A10 system wasn't supposed to decide what is a false-positive. So if we send it good traffic, it's supposed to just pass that good traffic through. But we opened this last ticket because the A10 did block some of the good traffic. Their support had to tweak it a little bit, but it wasn't anything that took a long time. It was pretty much just minutes. They understood what the issue was. They tweaked something and fixed it.
Which solution did I use previously and why did I switch?
What we signed off on when we signed the contract with them was very specifically DDoS mitigation. We went over all the specs of what we intended the system to do. They met all the specs better than the other vendors as far as the throughput, the footprint, and cost went. So we went with them.
The main reason we switched was cost. The cloud solutions were very expensive and, as we sent more traffic, of course, the prices went up. And it was a huge variable. We couldn't budget saying, "We're going to spend X amount of dollars per month on DDoS," because it all depended upon how much traffic we sent to those mitigation servers. If we got attacked one month a couple of hundred times, our expense there could have been tens of thousands of dollars a month. We were not willing to play that game and have that much variability in our expense. By putting this system in, it's our system, so we use it as much as we need to, and we don't pay a monthly expense. We pay A10 for support and that's it.
There was also a difference in response time between A10 and the cloud solutions because now we completely control the solution. Whereas, when we were outsourcing it, we didn't control any of it. So we would send traffic and hope that their mitigation system wasn't overtaxed. Their detection system, sometimes, could also be a little overtaxed and delayed, because there was the internet. We were sending traffic, sending our stats, across the net to their detection system. Their detection system would analyze that traffic, send a response back, and then mitigate if it had to. We had to send that traffic back out onto the public internet. So there was a lot of delay and a lot of variability in the response times. Now it's completely on our network and we control everything about it. So we get much faster response time in mitigation and detection.
How was the initial setup?
The initial setup was very simple. Again, we only use one feature, so the complexities of the setup were pretty much nil. They asked us how much traffic we intend to send to this thing. We spec'ed out the box. They said, "Well, this is the box you want." We did some 15 or 20 minutes configuration of the box and that was it. It was up and live. Everything was done in an afternoon.
What about the implementation team?
A10 did the initial config while it was all at our site. They did it remotely. It went flawlessly. It took about an hour or two hours and it was done. We've not had to change the configuration or anything about the box itself since we installed it.
There were three people involved in the deployment. Two others and me. I didn't do any of the configuration. I was just overseeing the whole project.
What was our ROI?
ROI is a tough one on this solution because it doesn't make us money, but it potentially saves us from losing some customers. I don't know how many customers would have left us if they got DDoS'ed or if our network didn't perform. So ROI on something that doesn't create revenue is a big, black hole. We don't know what would've been.
We don't charge for this, so there's no revenue associated with it. I'm sure it's saving us some revenue but, day one, it also saved expense. It actually cost us less to put this box in. For the expense that we were paying out to the cloud providers before, it was probably just a couple of months before it broke even with that expense that disappeared.
It was so variable, based on traffic. Some months we would spend $30,000 with that cloud provider and other months we'd spend $5,000. It was all based on the number of attacks that we would get. If we had a bad month of attacks, or even one bad day where somebody attacked us for 20 or 24 hours straight, we could be looking at spending $30,000 or $40,000 with that cloud provider. Today, it's nothing. There's no expense.
What's my experience with pricing, setup cost, and licensing?
Pricing is very reasonable.
Which other solutions did I evaluate?
In the past, we've used other cloud-based solutions.
What other advice do I have?
Don't even think twice about doing it. It's a given in this day and age; you just need to do it. You need to have some form of DDoS mitigation in place. And if you don't, God be with you. It's not a matter of if you will be attacked. A lot of ISPs think, "Oh, I'm too small," and even some enterprise customers think that way: "I'm too small. Nobody's going to attack me." These botnets don't care. They don't even know who you are. They just start sweeping IPs and, if they find some vulnerability or somebody decides that they'd like to attack even a customer of ours, it's going to happen. It's happening whether you know it or not, already.
The big thing was to get a lot more visibility into the types of DDoS attacks that we were getting, because now we had full access to the gears. One of the biggest lessons we learned — because we all assumed that non-volumetric attacks were not a problem for the provider — is that they were a problem. We just weren't seeing the problem. Some of our customers may have seen the problem, like a small DDoS attack against their DNS servers. DNS response time might've been delayed by just a fraction of a millisecond per query because of that DDoS attack, but in the grand scheme of things, with thousands of customers hitting that, it ended up being multiple milliseconds. That was something that we learned right off that was a "wow." When we looked at the response times of some of our servers that we never mitigated these attacks on before, it was big, overall.
The only automation features we use are the DDoS. We have other systems in place for the detection piece of it. That's the only feature we use. When it gets traffic, it mitigates it and that's pretty much it. We want to keep it extremely simple.
We haven't thought about where it has room for improvement because it is working so well right now. Again, we only use it for one very specific feature and that's the DDoS mitigation. It's doing what it's supposed to be doing right now. I don't have any enhancements I'd like to see on the product yet because we've not really used it for many of the features it's capable of.
In terms of maintenance, our company has a group that just updates software. That's all they do. They look at different systems in the network, Linux boxes, Windows boxes, appliances like this. They may spend half-an-hour a month if there are any updates to it. All they do is go to the web site and see if there are any updates. If there is an update, they look at what should be applied and they check with the different groups to see if they absolutely should apply it and then they download it.
We don't have plans to use any other features, but we do have plans to implement another system that our customer-support folks are looking at, to be able to do DDoS mitigation per customer. Right now my group, the engineering group, uses this system to protect the network as a whole, but we don't look at specific customers and say, "Well, that customer's getting a very small DDoS attack on their SQL server." We won't mitigate that because it doesn't affect the inner network. We would mitigate something that was a couple of hundred meg that we saw was malicious to the entire network, and that customer might benefit from it. Now, we're looking at selling this to customers. So if a customer calls and says, "Can you mitigate this attack against my SQL server?" the new system would be sensitive enough for even a tiny, little attack. Whereas, the system that we have now wouldn't. We'll probably do that in the next six months.
I'd give A10 a ten out of ten. I have no reason to subtract any points from it at all.