DDOS hardware appliances for network security - Arbor Pravail APS vs nsFocus ADS 6020 - Reviews - Feedback

Checkout Radware Defense Pro. It offers some very innovative approaches to network and application attack mitigation. I particularly like the NBA and real time signatures.

If all you need is initial mitigation against fairly basic flood type attack vectors, then the Radware and a host of other similar appliances, should do the job. I know Radware is in the stack of a few very successful DDoS mitigation services. But if you intend to offer a premium DDoS mitigation service, then you should invest in the likes of Arbor. The Arbor Fingerprint Sharing Alliance is a big time value-add and their support organization (including ArborSERT) is top-notch. In addition to good marketing, there are sound technical reasons why Arbor is found in the mitigation stacks of most top-tier service providers.

Whatever on-premise mitigation solution you implement, I also strongly recommend forming a commercial alliance with a dedicated mitigation service provider (e.g. Prolexic, Verisign, DOSarrest) so that you have a contingency plan for when the attacks get too big/sophisticated to effectively mitigate without affecting your infrastructure and your ability to meet SLAs to other customers. When sh*t hits the fan, it is good to be able to get the targeted /24 off your transit/peering links. Lastly, successful mitigation requires that you have excellent relationship along with well-rehearsed playbook (e.g. for ACL and null-routing) in place with all your transit/peering links.