Damballa CSP for Service Providers


Subscribers are using an increasing number of Internet connected devices (5.7 devices per household in the US1). While Anti-Virus provides basic protection, it is not 100% effective against the newest threats and cannot be used on smart devices for home automation and wearables. However, all of these devices are connected to the Internet. This presents Service Providers (Internet and Wireless) with a strategic opportunity to provide security for their subscribers.

Damballa’s CSP solution enables Service Providers to proactively notify subscribers when they are infected with malware. This solution can be packaged with other security products to increase ROI yield and create new revenue opportunities for transactional or subscription-based prevention and remediation offers.


Despite having limited control over endpoints, Service Providers can be held accountable if their subscribers’ devices are used to perform DDOS attacks, port scanning, spamming, hosting phishing sites and more. The range of unaddressed threats facing CSPs can impact their operation and creditability in various ways, such as:

  • Degraded subscriber experience
  • Fraudulent data and SMS usage charges due to excessive traffic from malicious infections
  • Lost goodwill and damaged subscriber relationships
  • Increased costs of subscriber service operations
  • Regulatory and industry peer pressure
  • Subjection of the Provider to subpoenas for subscriber information

Download Damballa CSP datasheet



Damballa CSP is specifically designed to identify malicious activity originating from PC, tablet or mobile devices. The solution sits out-of-band and monitors DNS requests (non-Personally Identifiable Information (PII) traffic) from subscribers’ IP addresses, identifying which are infected with malware.

Damballa CSP passively monitors extremely large networks with a lightweight, highly scalable solution; this ease of deployment quickly delivers value to the Service Provider and subscribers. Further, because it works out-of-band, Damballa CSP won’t impede network performance and remains undetectable by the criminal entities trying to evade detection.



Damballa CSP gives service providers the ability to:

  • Discover infected subscribers by monitoring malware communication
  • Notify subscribers of infections and the risk it may cause
  • Offer termination of malicious traffic
  • Provide walled garden services
  • Monitor millions of subscribers with a single 1U Sensor
  • Provide “Opt-In” security services
  • Improve Subscriber Internet performance by eliminating fraudulent activity
  • Address subscriber/regulator concerns
  • Provide a differentiated service over competitors
  • Eliminate fraudulent activity that results in excessive data usage charges for subscribers
  • Reduce calls to customer care involving fraudulent charges and activity


Whether an infected device is a smartphone, tablet, PC, or Mac, DNS-based detection offers the best opportunity for threat detection.

Damballa CSP resides within the service provider’s network monitoring DNS traffic. Damballa CSP sensors are located at strategic network locations to view SPAN’ed traffic between the subscriber and the service provider’s DNS servers or egress. Damballa CSP sensors monitor DNS traffic for queries indicative of advanced malware.

All malicious queries are captured and delivered to the Damballa CSP Management Console. The Damballa CSP Management Console aggregates and correlates the findings from the Damballa CSP sensors and generates reports about infections, which can be integrated with other service provider systems.


Upon seeing the infected subscriber’s DNS query, Damballa CSP can swiftly redirect the malware to communicate to an IP address controlled by the service provider instead of the criminal Command & Control (C&C) server. If the infected device can’t receive new instructions from the C&C server, it neutralizes the threat., Meanwhile, the Service Provider can notify the subscriber and inform them about remediation options.


Damballa CSP is designed to work large service providers’ special data management needs. All forensic evidence related to the malicious DNS queries from infected subscribers are aggregated and correlated for processing by service provider systems. These reports are either provided in JSON format for input into custom network systems or via a syslog output for SIEMs. Forensic evidence includes the subscriber’s IP address, timestamp of each malicious query, queried domain, threat name / industry name, and information about the malware. Reporting also includes pre-formatted executive and management level reports and trending reports.


Damballa has been a leader in advanced threat protection since 2006. The company was founded by data scientists and threat researchers who knew that threat actors always have the first move and can out-maneuver any prevention control given the time and motivation. Today, Damballa’s solution is based on eight years of visibility into massive data sets and the knowledge gained from machine learning systems. Our unequalled daily visibility includes:

  • Up to one billion devices worldwide
  • 55% of North American Internet DNS traffic
  • Over 33% of North American mobile DNS traffic
  • 22.5 Billion records of passive DNS daily


Damballa empowers Service Providers to proactively alert their subscribers when they are at risk, creating an opportunity to build trust through valuable remediation, education and preventative solutions.

  • Sits out-of-band and monitors DNS traffic
  • No Personally Identification Information (PII) monitored
  • ‘Light-weight’ sensor monitors millions of subscribers
  • Undetectable by threat actors
  • Zero impact to network performance.
  • Automatically detects compromised subscriber IP address and terminates criminal communications
  • Captures malicious queries and correlates findings to generate infection reports
  • Integrates with SIEMS, other logging systems and remediation tools
  • Enables subscriber notification (email, in-browser, walled-gardens, etc.)
  • Enables remediation
  • Delivers threat intelligence to security team