Today, Incapsula, one of Imperva’s companies focused on cloud application delivery and security, announced two significant extensions of their DDoS mitigation capability.
- DNS Protection - New anti-DDoS service that safeguards DNS servers, while also accelerating DNS responses.
- Infrastructure Protection - New BGP enabled solution that can provide DDoS protection to entire subnets, prevent direct-to-origin attacks, protect FTP and email servers, and other crucial infrastructure elements.
The underlying technology powering these services is Incapsula’s custom-built scrubbing hardware (codenamed “Behemoth”) that can process 170Gbps worth of traffic, performing deep packet inspection, filtering, tunneling, and routing.
Igal Zeifman of Incapsula goes into more detail on the Incapsula blog
Neither of these on its own is an industry first. What’s interesting here is the combination of the two with Incapsula’s DNS-based cloud solution, layer 7 DDoS mitigation, and Imperva’s on premise web application firewall. That combination represents by far the most comprehensive DDoS mitigation offering to thwart the largest and most sophisticated DDoS attacks.
Some context around “most comprehensive”
There have been two recent acquisitions (Akamai/Prolexic and F5/Defense.Net) in the space, both claiming some form of “most comprehensive.” But the first is limited to cloud based deployment only, and while the second does combine cloud with on premise, the cloud solution lacks sophisticated layer 7 capabilities.
These days, DDoS attacks often resemble APT attacks in that attackers adjust their tactics as mitigation steps are taken, often combining DoS attacks with other application level attacks. In these cases, a defense in depth approach is required to keep all bases covered as the attacker changes tactics. This should include keeping most of the attack traffic away from your networks and infrastructure via the cloud. But, as the attack becomes more application specific and starts to include business logic attacks, you need to have the traditional WAF tools in place to detect and block them.