When we started deploying this and we measured the impact on the number of customer complaints, we saw a significant reduction in the overall number of customer tickets. If customers have an issue with one of our servers, they open a ticket; that could be any outage or a DDoS attack. We saw an overall reduction of 11 percent in support tickets.

But we also saw that we were typically able to mitigate over 98 percent of all the attacks that we detect. That has a two-fold benefit. First of all, customers are happier because their service stays alive even in a situation where they are being attacked. And for us, it has a positive impact on our support team because it has 11 percent fewer tickets it needs to handle. That's especially true since "attack tickets" are not nice tickets to have to handle. It also helped us a little bit in the engagement and the motivation of our support team.

A10 has also definitely reduced the amount of manual intervention required during an attack. Before we had these systems in place, if an IP address or server was attacked above a certain level, we would manually no-route or "black-hole" the traffic, and basically remove that IP address from the internet. That was all manual work, while customers were complaining, and their customers were complaining. People were opening tickets. With this solution in place, all that manual work no longer has to happen. After detection of an attack, the scrubbing is initiated automatically. In the case of a huge attack, we will still null-route the traffic which is going to the IP address under attack, but that process is fully automated. So deploying these systems has reduced a lot of the manual work.

Using this solution we have also, to some extent, detected more small attacks, attacks that we had been missing previously. Before we deployed A10, we did not have any technology in place to detect an attack. Only if a customer opened a ticket did we know there was an attack. But when we started deploying the detection technology and the A10 scrubbing technology, we suddenly saw that we actually have a lot of smaller attacks as well, which were invisible to us previously. That means, most likely, that there were a lot of unhappy customers - or unhappy end-users of our customers' systems - that we were never aware of. That was suddenly fixed by deploying these systems. In all of 2018, we identified about 400 attacks each day, anywhere in our 20 data centers around the world. Many of these attacks were invisible to us before 2016 when we did not have this solution in place.

When it comes to the solution's performance given its form factors, for us, any equipment that takes up space and power is using scarce resources in a data center. The fact that these boxes do have a small form-factor, as only 1RU or 2RU devices, and that the power consumption is relatively low, is very beneficial for us.

We don't deliberately use the solution's machine-learning powered Zero-day Automated Protection (ZAP) but the systems require very little effort to keep them alive and manage them. The automation and the updates that A10 built in result in there being very little work for us to do to keep these systems up to date and efficient in the way they scrub attack traffic. So it's not functionality that we deliberately use, but it's a benefit of these systems, which helps us maintain a low cost of operations and an effective system.

The solution's automation also has the effect that the systems are very low-maintenance. That means that we can free up our people to do other work.

We started with them and built our network based on this solution. We started with them directly from scratch.

The automation makes our team more efficient and productive. We are distributed and don't use the A10 Portal. It's easy for us to deploy. E.g., they have an aGalaxy product. Instead of connecting to all the boxes, so we will have the A10 box. We don't want to send a code to all the A10 boxes. We will just send the information to one box: the A10 aGalaxy. This one box will proxy it and send the information all the other boxes. This is exactly what we are doing today. It has improved the way that we are working.

Due to the availability and power of these devices, we've been able to ramp off our upstream cloud-scrubbing provider and handle all attacks on our own. Right now 100 percent of our attacks are handled on-prem with these devices. In 2019 - we're nine months into the year - we've had 1,500-plus attacks and less than five of those attacks have had impact on us.

Our current setup is two 6435 TPS devices at each location. Each of those boxes is rated for 155 Gigs of traffic. We currently are sending 100 Gigs of traffic to each box, that's the bandwidth of the line that we have coming in, and we successfully mitigated a 163-Gig attack. That one was successfully mitigated within the last month by those devices.

In terms of increased availability, I would say it's at about 99.999 percent, overall. We haven't had any major impact, anything more than five minutes, in about two or three years now, due to DDoS.

The automation in TPS makes my team more productive. There is less manual work for my team in dealing with attacks, and with other functions as well, because that automation is built-in: An incident is created, the attack is mitigated, and a report is created. There's really zero touch at this point in time for attacks. It has very much reduced the amount of manual intervention required during an attack.

That is especially true with the newest upgrades that just came out where it does automated pcaps. Everything that we need at this point in time is automated. The device automatically goes into mitigation. It gets the pcaps for us and, a large percentage of the time, it just blocks the traffic that we're looking for. Having those pcaps also helps out because in the future, when we're looking at attacks where we may not have either signature or a proper remediation, we can actually build that in based on the data that we're receiving from those pcaps.

Using TPS we have detected a lot more small attacks and attacks that we had been missing previously, but that's not only because of TPS. We do gather flow information from the TPS devices as well as from our border routers that we recently upgraded. We're using FlowTraq. With that combination, we are seeing a large increase in the number of DDoS attacks that we're detecting compared to what we were using previously, which was a third-party cloud provider. On average, we're detecting anywhere from 25 to 50 more attacks per week than we did previously.

Our company experienced some DDoS attacks that temporarily took down parts of the network. The manual process we had in place took some time to execute, and Thunder TPS offered better mitigation methods so we could block malicious IP addresses at the edge of the network.

Availability is absolutely critical to our business. We get attacked two and three times a day at times. Without it we'd be hamstrung, bandwidth-wise.

Although the attacks happen every day, they're not a big deal anymore because the mitigation takes care of it. But in the past, before we had the solution in place — there are other components to it beyond just the A10; the A10 is just the mitigation piece of our DDoS protection scheme. But before this whole solution was in place, it used to take two or three engineers half an hour to figure out how to mitigate an attack. Now, it's pretty much zero. We get an attack, we get an e-mail saying, "Hey, there's an attack underway." The systems that are in place redirect it to the A10, the A10 scrubs the traffic and it's not such a big deal anymore.

In terms of how much it has increased availability, being that we get attacked two or three times a day, with some of them we probably we wouldn't really know they were happening. But some of them would take us to our knees. We've never really measured it. We're a service provider in the Northeast region, so we've got lots and lots of bandwidth. It has helped a lot, but I couldn't put a number on it because we're always up.

In terms of small attacks we were getting but missing prior to having Thunder TPS, we're over 200 Gig in the backbone now, but we never saw a lot of those little, what I call "squirt-in-the-eye" attacks before. We had a 50-Meg customer out there that was getting DDoS'ed at a 100 Meg. We would've never seen that before. We would have never mitigated it. The customer would have called and said, "Hey, my circuit's down," and we would have looked at it and spent time trying to figure out what's up with the circuit. Then somebody would have looked at their bandwidth charge and said, "Oh, you're maxed," and the customer wouldn't understand why they were maxed. Now, the DDoS solution we put in place sees those small attacks, mitigates them, and the customer never calls.

It has absolutely made a big difference for our customers. DDoSes are happening every moment of the day. We just never know who we're protecting from a given attack or why, but it just happens automatically and we don't really worry that much about it any longer.

Our setup is something of a hybrid solution. We're using the third-party software, the Kentik solution, but we also have some clients that are directly connected to TPS. There is a 30-second delay in time to mitigation for clients that are not direct. By the time that third-party solution identifies something and sends it, via API, to the TPS, there's about a 30-second delay. When we have customers that are directly connected, they have just about instantaneous mitigations with TPS.

We use that inline setup as a premium service. If customers can tolerate a small spike in traffic flow until the mitigation happens then we'll just leave them on the Kentik solution. If they want it instantaneously then we'll put them inline and connect them directly to the TPS for that. Customers who opt for the premium service include financials, utilities - anything which needs that instant mitigation and understands the threat of DDoS. Some entities can tolerate it if they're down for a minute or two minutes and it's not crucial that they pay the extra dollars.

Overall, DDoS attacks affect small-town North Dakota in a fairly large fashion, meaning that they could affect infrastructure from schools to county courthouses to libraries, etc. Those places aren't directly associated with the target of the attack but the appliance itself and the solution in general allow for the protection of those services in those communities. It has been very successful.

The solution has reduced the amount of manual intervention required during an attack. We have the inline solution and when it comes to the customers that we have on it, it has saved us some troubleshooting time. If we can see that there is an active zone, we know that their traffic is being mitigated. If a customer calls and says, "Hey, I have internet problems", one of the first things we check is if there's a DDoS attack happening.

Anytime you filter, you set up thresholds, you can identify your traffic patterns a lot better.
It has helped in that aspect as well. We did miss attacks previously.

We can keep track of all the customer's requirements. We can forecast our trails and we can forecast our overall financial things.