25 Years of Arbor (Networks) Innovation & DDoS Protection

In 2000, backed by DARPA, Cisco, and Intel, and based on research from a professor (Farnam Jahanian) and one of his graduate students (G. Robert Malan) from the University of Michigan, Arbor Networks was founded. (In case you didn’t know, the University of Michigan is located in Ann Arbor, Michigan—thus the name Arbor Networks.)

At the time, their efforts were focused on the emergence of increasingly complex cyberattacks that were impacting the performance and availability of internet service provider (ISP) IP-based networks. Long before terms such as “distributed denial of service” or “DDoS” entered the mainstream lexicon, Arbor Networks delivered technology that combined routing network topology information and scalable flow-based monitoring (e.g., NetFlow) to provide ISPs with cohesive visibility into what was happening on their networks. This technology demystified outages and slowdowns, providing an operationally efficient way to detect, backtrack, and filter DDoS attacks.

Today, 25 years later and now part of NETSCOUT, Arbor Networks technology is still the de facto standard for the majority of the world’s ISPs, cloud providers, mobile operators, and large enterprises when it comes to protecting their networks and business-critical applications and services from DDoS attacks. In that time, Arbor Networks technology has protected many of the world’s major events from DDoS attacks, including the Summer Olympic Games, the World Cup, G7 meetings, the Commonwealth Games, and many more. The same technology also protects major banks and financial payment systems, utilities, insurance, medical, education, and government organizations, ensuring the performance and availability of services we all use every day.

Quite simply, without Arbor Networks technology, there would be more outages, disrupting important aspects of daily life. For the last 25 years, Arbor Networks technology has been protecting the availability of the internet and the services that we access across it. This is why NETSCOUT technologies and employees are now considered Guardians of the Connected World.

Looking back over the last 25 years, we thought it would be interesting to take a brief dive into the evolution of the internet, DDoS attacks, and continuous innovation of Arbor technology.

A Look at the 2000s

Major events in internet history

• 2001: Wikipedia launches, changing how knowledge is shared online
• 2004: Facebook is founded, ushering in the modern social media era
• 2005: YouTube launches, popularizing user-generated video content
• 2007: Apple releases the iPhone, sparking the mobile internet revolution

DDoS attacks: The rise of DDoS awareness and defense

• 2000: Mafiaboy, a 15-year-old hacker, launches attacks on Yahoo!, Amazon, CNN, and eBay using a compromised university server
• 2002: All 13 root DNS servers are targeted in a coordinated attack, raising global concern about internet infrastructure vulnerabilities
• 2007: Estonia suffers massive DDoS attacks targeting government and banking websites, widely considered the first case of cyberwarfare
• 2008: Anonymous enters the DDoS scene and launches the first DDoS attacks as a form of geopolitical protest and hacktivism
• DDoS attack sizes: 1Gbps to 40Gbps.

Arbor Innovation

During this time, Arbor’s Peakflow DoS and Traffic products analyzed IP flow, Simple Network Management Protocol (SNMP), and Border Gateway Control (BGP) routing information from internet routers, providing ISPs with highly scalable, pervasive visibility across their rapidly evolving and growing networks. This visibility enabled ISPs to conduct peering/transit analysis, manage capacity planning (to reduce cost and optimize resource utilization), and detect anomalies (for example, DDoS attacks) to protect the performance and availability of their services.

Arbor’s Peakflow Traffic product, used by most of the world’s Tier 1 and Tier 2 ISPs, literally determined the interconnection architecture of the internet. In parallel, Arbor’s Peakflow DoS product protected those connections from DDoS attacks. Because most ISPs invested in both products, Peakflow Traffic and DoS converged into Peakflow SP.

Arbor Networks then released its own DDoS attack mitigation product, called the Threat Mitigation System (TMS), to complement Peakflow SP’s DDoS attack detection capabilities. TMS was an industry-unique solution that leveraged patented stateless packet process technology, with BGP redirection of attack traffic for efficient, surgical DDoS attack mitigation.

For enterprises, Arbor released Peakflow X, a solution that gathered and analyzed IP flow from enterprise switches and routers, providing customers with broad network visibility and focusing on behavioral detection of threats such as worms and insider misuse within the enterprise, a precursor to the network detection and response tools in use today.

And, in 2009, Arbor launched ATLAS in collaboration with more than 100 ISPs, a global threat monitoring system developed to facilitate the collection and sharing of DDoS information. This is still in use today (more on that later).

A Look at the 2010s

Major events in internet history

• 2010: Arab Spring highlights social media’s influence on politics
• 2013: Edward Snowden’s NSA leaks expose global surveillance, fueling privacy debates
• 2016: Cloud adoption accelerates, Internet of Things (IoT) devices surge
• 2017: WannaCry ransomware spreads globally, impacting hospitals, businesses, and governments

DDoS attacks: New techniques, botnets, and hacktivism continue

• 2012: Qassam Cyber Fighters Operation Ababil ups DDoS attack sophistication by introducing multivector DDoS attacks, making it harder for defenders.

   

• 2013: Spamhaus is hit with a 300Gbps attack, one of the largest at the time, using DNS reflection/amplification (R/A). R/A is exploited throughout the 2010s, with waves of attacks using a variety of protocols such as NTP, SSDP, ARMS, Memcache, Chargen, and more.

   

• 2016: The Mirai botnet emerges, exploiting insecure IoT devices. It launches a 620Gbps attack on journalist Brian Krebs and a 1Tbps attack on French hosting organization OVHcloud. The Mirai botnet code is released publicly, and still today, there are many botnets that are using variants of Mirai to launch DDoS attacks.

   

• 2016: Dyn DNS is attacked, disrupting services such as Twitter, GitHub, and Spotify across the U.S. This event makes “DDoS” a mainstream issue in North America, because it impacts so many consumer-related services.

   

• 2016: NETSCOUT is the first to discover DDoS carpet bombing, where attackers target large ranges of IP addresses instead of a single target.

   

• DDoS attack sizes: Up to 1Tbps.

Arbor Innovation
As new attack vectors were discovered, so too were new attack detection and mitigation techniques added to the newly named Arbor Sightline solution. It was during this period that the Arbor HD1000 Threat Mitigation System, supporting a scalable high-density architecture with surgical mitigation capacity up to 400Gbps, and Arbor Sightline with Sentinel were released, enabling operators to fully operationalize Flowspec as an additional mitigation technique.

To defend against multivector attacks that simultaneously utilize volumetric, TCP state exhaustion, and application-layer attack vectors, Arbor Networks introduced the concept of hybrid attack protection, combining cloud-based (e.g., from the ISP) and perimeter (e.g., at the edge of the data center or enterprise) inline protection.

For inline perimeter protection, Arbor released its Availability Protection System (APS). APS was an in-line, always-on, stateless DDoS attack protection solution that automatically detected and instantly mitigated all types of DDoS attacks. An industry-unique feature called Cloud-Signaling enabled APS to intelligently redirect volumetric attacks (i.e., bigger than the local upstream internet circuit) to an ISP for mitigation. What was an industry innovation at the time became industry best practice, which very few, if any, DDoS vendors can replicate.

In 2014, Arbor introduced its own version of cloud-based protection called Arbor Cloud. Arbor Cloud is a fully managed, ISP-agnostic DDoS attack mitigation service that has grown from 6 regional mitigation centers to 16 globally, offering over 16Tbps of mitigation capacity, with either BGP- or DNS-based diversion of traffic.  Throughout this decade, multivector DDoS attacks continued to increase in complexity, utilizing as many as 20 different attack vectors in a single attack. Worse still, sophisticated attackers started to dynamically change vectors during an attack to make their attacks harder to counter. Arbor’s DDoS attack technology excels at detecting and automatically mitigating multivector attacks—a capability that few match even today.

During this time period, Arbor released its Arbor Edge Defense (AED). Like its APS predecessor, AED is an inline, stateless DDoS protection solution designed for the perimeter of critical environments—data centers, DNS clusters, enterprise sites, and so forth. But AED goes beyond just DDoS protection; armed with millions of indicators of compromise (IoCs) from the now-expanded ATLAS Intelligence Feed (AIF), or using third-party STIX/TAXII IoC feeds, AED can automatically detect and block non-DDoS threats, such as known malware, C2 communication, malicious scanning, and more. Because of its placement outside the firewall, AED became the first and last line of defense for many environments, stopping both inbound and outbound threats. AED is another unique innovation in the cybersecurity industry.

In 2015, Arbor Networks became part of NETSCOUT, where its ASERT research, development, and product management staff remain, continuing to innovate and create the world’s best DDoS and cyberthreat protection products.

In 2016, Arbor Networks’ DDoS protection was named one of the five most important DARPA inventions, alongside other key society-impacting technologies such as the internet, Global Positioning System (GPS), cloud computing, virtual reality, and natural language processing.

A Look at the 2020s

Internet history

• 2020: COVID-19 accelerates global reliance on remote work, elearning, and video conferencing
• 2021: Facebook (Meta) outage highlights the fragility of centralized internet infrastructure
• 2022: Russia-Ukraine conflict sparks waves of state-sponsored cyberattacks and hacktivism
• 2024: Artificial intelligence (AI) tools such as ChatGPT surge in adoption, reshaping internet usage and productivity
• 2025: 5G, edge computing, and AI fuel major debates on AI regulation

DDoS attacks: Triple extortion, DDoS for hire, and use of AI

• 2020–2021: Triple-extortion campaigns surge, with attackers demanding cryptocurrency ransoms from companies for not exposing/selling stolen data, keys for encrypted data, and the threat of a DDoS attack. VPNs and firewalls become common targets amid the COVID-19 pandemic work-from-home global phenomenon.

   

• 2022–2023: The DDoS attack landscape sees a major pivot from the 10-plus year dominance of R/A attack vectors to direct path attacks leveraging botnets. Nation state­–affiliated hacktivism explodes around Russia and Ukraine, spreading from there to other conflicts and geopolitical disputes around the world. There is a rise in well-formed attacks on HTTPS services, driven by nation state–affiliated hacktivist groups.

   

• 2023–2024: This time period sees the evolution of DDoS-for-hire services with automated reconnaissance, intelligent spoofing, and attack vector rotation/randomization. Carpet-bombing attacks continue to evolve and become a default technique in DDoS-for-hire attack tools. DDoS-for-hire services, internet proxies, and bulletproof hosting services enable virtually anyone to launch sophisticated, multivector DDoS attacks at a low-to-no cost, potentially fueling geopolitical events.

   

• 2025: DDoS attacks now regularly exceed tens of millions of requests per second, driven by easy-to-use tools featuring automated reconnaissance and attack vector selection, leveraging IoT botnets and 5G-connected devices.

   

• DDoS attack sizes: Up to multi Tbps.

Arbor Innovation
NETSCOUT continues to innovate and develop Arbor products, integrating technologies for our broader portfolio. Automation has become key as the number of DDoS attacks exceed millions annually while continuing to grow in sophistication. AI has been integrated into the Arbor solutions in two main areas: the collation and curation of the AIF, and through the Adaptive DDoS Protection (ADP) feature set.

Today, ASERT uses AI to analyze data collected from the global deployment of Arbor products across more than 500+ ISPs and 3,000 enterprises. This unique vantage point offers near-real time visibility into more than 800Tbps of internet traffic and 1 million DDoS attacks per month, from more than 200+ countries. No other vendor has such broad visibility into global DDoS attack activity. ASERT’s AI curation and collation pipeline, which drives the AIF, provides all Arbor products and services with the latest actionable DDoS threat information. According to some of our customers, 80 percent of all DDoS attacks are automatically detected and blocked (with no false positives) using AIF.

Within AED, ADP uses AI to continuously examine traffic, looking for signs of attack; it then makes configuration recommendations, which can be automatically applied, to ensure AED is always providing the best protection for key infrastructure.

Within Sightline and TMS, ADP uses AI-powered AIF and other new techniques to detect and automatically mitigate DDoS attacks. During this period, as DDoS attacks generated by fixed wireless access endpoints impacted the performance and availability of 4G and 5G networks, NETSCOUT released Arbor Sightline for Mobile.  Numerous other advances have also taken place in AED, including support for 100Gbps interfaces, the addition of built-in software decryption capabilities, and support for public clouds (such as AWS and Microsoft Azure). And, to simplify management, configuration, and reporting, the Arbor Enterprise Manager (AEM) has been added to the portfolio.

So, there you have it. Twenty-five years of the internet, 25 years of DDoS attacks, and 25 years of Arbor innovation, protecting the performance and availability of the connected world. No other DDoS protection vendor can claim such a thing.

Our Customers Say It Best

Celebrating 25 years of innovation is one thing, but the real proof is shown by our continued revenue growth and customer base. With more than 500 ISPs and 3,000 enterprise clients, many of whom have remained with us for more than two decades, NETSCOUT’s Arbor solutions are renowned for delivering on their promises. 
Our customers have participated in third-party analyses, such as Forrester’s Total Economic Impact reports, which demonstrate a more-than 200 percent return on investment (ROI) for Arbor Sightline, TMS, and Edge Defense products.

Sightline and TMS:

Arbor Edge Defense:

These reports include customer testimonials such as the following:

• “With the auto mitigation capability, 90% to 99% of the attacks are just soaked up by the platform automatically without any human intervention at all. Think of all the workload that’s gone away.”— Networking specialist, telecom services
• “With [Arbor] TMS, we can automatically mitigate almost 99 percent of potential DDoS attacks.” —Security operations manager, regional internet services
• “We were more inclined toward NETSCOUT because the performance the Arbor Edge Defense (AED) with high bandwidth is matured [and] able to manage scalability, and [it] gives us a better user experience.”—Director of global information technology, medium enterprise internet software and services

Most recently, Arbor TMS has received four badges in G2’s Summer 2025 cycle. These badges include Momentum Leader for DDoS Protection, Grid Leader for DDoS Protection and Web Security, and Regional Leader in Asia for DDoS Protection.

The Analyst Community Agrees

NETSCOUT is an innovator; we consistently lead in various DDoS market analysis reports, including the following:

QKS Group SPARK Matrix:

• Arbor Cloud DDoS protection services scored in the highest category overall with a rating of Platinum in the Enterprise Management Associates (EMA) PRISM report on DDoS
• NETSCOUT was recognized as Technology Innovation Leader by Frost & Sullivan
• Omdia recognized NETSCOUT Arbor DDoS protection as a market leader
• Arbor Edge Defense and ATLAS Intelligence Feed received Cyber Defense Magazine’s 2025 Winner of Global Infosec award

Conclusion: A Legacy of Leadership, a Future of Innovation, a Protected Connected World

From its DARPA-funded origins in Ann Arbor to becoming the global standard in DDoS protection under NETSCOUT, Arbor has spent the last 25 years not just responding to the evolution of cyberthreats—but anticipating and outpacing them. Across decades marked by rising attack volumes, shifting vectors, and growing geopolitical complexity, Arbor technologies have continually delivered, with groundbreaking innovations that became industry benchmarks: from stateless mitigation and hybrid DDoS protection to AI-driven threat intelligence and adaptive countermeasures.

What makes this legacy even more remarkable is not just the technology, but the trust that technology has earned. Trusted by more than 500 ISPs and 3,000 enterprises and recognized by analysts and third-party evaluations alike, Arbor solutions have consistently proven their value where it matters most: in the real world, under real attack.

As cyberthreats become more automated, more distributed, and more sophisticated, one thing remains constant: NETSCOUT’s Arbor DDoS protection technologies will continue to stand as the first—and last—line of defense, empowering organizations to operate with confidence in an increasingly hostile digital world.

In true NETSCOUT fashion, we are the Guardians of the Connected World. Here’s to the next 25 years of innovation, protection, and leadership.    

Learn more about Arbor DDoS Detection & Defense