Thunder TPS

The Thunder TPS Series product line provides many features to detect and mitigate multi-vector DDoS attacks with unprecedented performance scalability and deployment flexibility.

Multi-Level DDoS Protection For Service Availability:

A10's Thunder TPS Series is able to detect and mitigate a broad level of attacks, even if multiple attacks hit the network simultaneously.

Multi-vector attack protection: Service availability is realized by detecting and mitigating DDoS attacks of many types, whether they are pure volumetric, protocol or resource attacks, or even application-level attacks:
Volumetric attacks, such as DNS or NTP amplification attacks, are aimed to flood and saturate a victim’s Internet connection, thus rendering services unavailable. Thunder TPS offers a variety of authentication techniques, amplification and flood attack mitigation, and filter spoofed traffic or apply highly granular, multi-protocol rate limiting to prevent sudden surges of illegitimate traffic to overwhelm network and server resources. It is possible to apply limits per connection, defined by bandwidth or packet rate.
Protocol attacks, such SYN floods, ping of death, and IP anomalies, are aimed at exhausting a victim’s protocol stack so it cannot respond to legitimate traffic. Thunder TPS detects and mitigates over 50 anomaly attacks in hardware to stop them before the system CPUs have to be involved. For example, SYN requests can be validated, or other features to manage out of sequence segments, TCP/UDP port scanning and many more are available.
Application attacks such as slowloris, HTTP GET flood or SSL-based attacks are specifically exploiting a weakness in an application’s function or trying to make it unavailable. Thunder TPS provides many application checks and request rate limit control. With A10’s programmatic aFleX feature, Thunder TPS is able to perform deep packet inspection (DPI) on incoming packets and take defined actions to protect the application. For example, the system can enforce limits on various DNS query types, or apply security checks in many portions of the HTTP header.

High Performance To Meet Growing Attack Scale:

Over the last few years, DDoS attacks have rapidly proliferated in terms of bandwidth (Gbps) and packets per second (PPS). Thunder TPS can leverage high-performance, specialized hardware as well as the latest, most powerful Intel Xeon CPUs to mitigate the largest and most sophisticated attacks.

  • High performance platform: With mitigation throughput capacity ranging from 10 to 155 Gbps (or 1.2 Tbps in a list synchronization cluster) ensures that the largest DDoS attacks can be handled effectively. Select Thunder TPS models are equipped with high-performance FPGA-based FTA technology to detect and mitigate over 50 common attack vectors immediately, before the data CPUs are involved. SYN cookies can be generated to validate client connection requests, at a rate of up to 223 Mpps. The Security and Policy Engine (SPE) hardware enforces highly granular traffic rates; as fine as 100 ms interval. SSL security processors are leveraged for detecting and mitigating SSL-based attacks, including the recent POODLE vulnerability. More complex application-layer (L7) attacks (HTTP, DNS, etc.) are processed by the latest Intel Xeon CPUs, so that high-performance system scaling is maintained even for multi-vector attacks. Network connectivity is provided with 1, 10 and 40 Gbps interfaces.
  • Large threat intelligence class lists: Eight individual lists, each containing up to 16 million list entries, can be defined. This allows a user to utilize data from IP reputation databases, in addition to the dynamically generated entries of black/white lists.
  • Simultaneous protected objects: To protect entire networks with many connected users and services, the Thunder TPS Series is able to simultaneously monitor 64,000 hosts or subnets.

    Flexibility For Customization And Broad Network Integration:

For network operators, it is critical that a DDoS mitigation solution can easily be inserted into the existing network architecture, so that the network remains prepared for imminent DDoS threats.

  • Programmatic Policy Engine: a fully programmable centralized configuration and management engine along with access to system states and statistics to simplify enforcement of advanced application and security policies. The detection and mitigation capabilities are extremely customizable, using the aFleX TCL-based language, or regular expression (regex) and Berkeley Packet Filter (BPF) for high-speed pattern matching in policies.
  • Easy network integration: With multiple performance options and flexible deployment models including MPLS inspection, Thunder TPS can be integrated into any network architecture, of any size. And, with aXAPI, our RESTful API, Thunder TPS can easily be integrated into third-party detection solutions. The common event format (CEF) open log management standard, increases cross-platform support.

The unprecedented capacity of Thunder TPS allows a device to be deployed in inline mode and out-of-band mode simultaneously. In this deployment model, the Thunder TPS unit can analyze traffic from other network segments and apply this knowledge to its configuration

Network and Telecom Equipment


Network and Telecom Equipment


A10 Thunder CGN provides many advanced features for enterprises and carriers to extend IPv4 connectivity and to transition to IPv6 Internet connectivity. As network addressing and IPv6 transition architectures can vary greatly across and within an organization, customers need a solution that provides the broadest support for industry standards and addresses different address and protocol translation requirements simultaneously. The Thunder CGN product line provides a broad array of standards-compliant IPv4 extension and IPv6 transition technologies integrated within our high-performance, ACOS-based physical, virtual and hybrid appliances.


The Thunder CGN product line provides advanced CGNAT functions to easily mitigate IPv4 address exhaustion and extend the life of an IPv4 network infrastructure. There are many features available within our CGNAT solution to meet the needs for organizations that are looking into CGNAT.

Advanced CGNAT functions: CGNAT provides a standards-based mechanism to reclaim existing public IPv4 address space, using address and port translation. This allows for a network where private addresses inside the network are translated using a pool of public, routable IP addresses on the outside network. The ratio of private to public IP addresses can be high, resulting in a significant amount of reclaimed public IPv4 address space. Performing CGNAT for many simultaneous users requires large amounts of computing and memory resources to maintain user state information. The A10 Thunder CGN product line leverages the highly efficient ACOS platform architecture, which provides high-performance CGNAT scaling in very efficient form factors. The Thunder CGN product line provides support for up to 256 million concurrent sessions in a single RU form factor, as well as unprecedented session setup and teardown rates. Competing solutions require a large chassis product with multiple application blades to achieve similar performance.

Advanced logging features: Local governments often mandate that network operators be able to trace a user's connection details at a given moment in history, which can be complicated when scaling out large IPv4 CGNAT solutions. Thunder CGN offers many techniques to enhance the logging detail or reduce the volume of logs, in order to reduce logging infrastructure requirements. For example, there are log compression features that significantly reduce the amount of data needed to describe a log event. Deterministic or fixed Network Address Translation (NAT) makes it possible to virtually eliminate translation logs; the user details of a connection can easily be derived via a simple algorithm.


Since IPv6 is not backwards compatible with IPv4, various solutions are available to achieve full connectivity, regardless of source or destination IP protocol.

Prevalent protocol connectivity: Transition technologies such as Dual-Stack Lite (DS-Lite) allow network operators to run an IPv6-only access network, while IPv4-only devices can still connect to the Internet using softwires (also referred to as tunnels) through the IPv6-only infrastructure. Light Weight 4 over 6 (LW4o6) or IPv6 Rapid Deployment (6rd) provide similar behavior, allowing alternate IP versions access through the network.

Ensure IPv6 client access to IPv4 content: IPv6 was not built to be backward compatible with IPv4, complicating the deployment of IPv6 clients. NAT64/DNS64 solves this problem by allowing IPv6-only devices to access IPv4-only content, thus enabling clients to access the majority of the Internet today.

Interplay for phased transition: Networks often require different transition technologies to be deployed simultaneously. Thunder CGN products allow you to deploy each transition technology concurrently, for example starting with CGNAT to immediately mitigate IPv4 address exhaustion, and then phasing in NAT64/DNS64 to enable IPv6 clients to access the IPv4 Internet, when you are ready.


Even though the OSI network layer principle should ensure separation between the application and network behavior, this is not always the case. Many applications rely on network transport information to operate, which can lead to problems when just the network portion is translated. Connection reliability is also crucial for applications that need to be available at all times.

CGNAT transparency: Advanced CGNAT features such as Endpoint Independent Mapping (EIM) and hairpinning provide predictable NAT behavior, and a transparent end user experience. User quotas allow public IP port usage to be fairly distributed between end users, and that viruses and malware, for example, can't exhaust the resources for other users.

Application Layer Gateways (ALGs): For network operators, it is critical to ensure connectivity for all application services and users. ALGs within CGNAT ensure that protocols such as FTP, TFTP, RTSP, PPTP, SIP, ICMP, H.323 and DNS remain functional. Many legacy NAT implementations do not provide this level of transparency.

Stateful session synchronization (hitless failover): When deployed in HA mode, the A10 Thunder CGN units synchronize active sessions, so when a failover occurs, the sessions will be maintained and end users will not be aware that a failover has occurred. This prevents users from having to restart a large download, for example, and increases user satisfaction.

In addition, Thunder CGN appliances offer integrated distributed denial of service (DDoS) protection for CGN devices offering public facing services to prevent huge volumes of multi-vector DDoS attack traffic. Integrated DDoS features are available on all A10 Thunder CGN appliances and specialized Thunder SPE appliances, which leverages a hardware-assisted Security and Policy Engine (SPE) to enforce security policies at ultra-high speed. Together, these CGN software and hardware features ensure maximum uptime of network resources to process subscriber traffic.

Network and Telecom Equipment








6026 Jet Port Industrial Blvd.
Tampa, Florida 33634

295 Main St. Suite 123
Buffalo, New York 14203

130 E Kiowa St Ste 400
Colorado Springs 80903


   Toll-free Phone: (866) 305-8597
   Fax: (813) 673-8885